ba9ada271c0e3bb2c53762c41a19f414811f8b3079e107adbb64edbed4b45b53

Analysis

max time kernel
128s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-11-2024 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shark_botnet_c2.zip
Size

6.8MB
MD5

bf52fb2803cc805f797b2f00ceb4260d
SHA1

6724edfefaaa0ac387d6f7bfae9ad6280eb6908a
SHA256

ba9ada271c0e3bb2c53762c41a19f414811f8b3079e107adbb64edbed4b45b53
SHA512

396880f658cb8b7289332db46b88a89a89dd3613295b5fb6919a1919607438b70054a2909cebf5f9f563485701f3176ecf4de6c7da728d4eba5775bdb06573c6
SSDEEP

196608:wPjxTGiNv++tfZT1dKp+nK6kbQ3sxInFWt:wZNvttfZTiUtkU3scO

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2712	sharkbotnetc2.exe
2948	sharkbotnetc2.exe
1716	sharkbotnetc2.exe
2832	sharkbotnetc2.exe

Loads dropped DLL 16 IoCs

pid	Process
1208	Process not Found
1208	Process not Found
2948	sharkbotnetc2.exe
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
1208	Process not Found
2832	sharkbotnetc2.exe
1208	Process not Found
1208	Process not Found

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\shark test\desktop.ini	7zFM.exe
File opened for modification	C:\Users\Admin\Desktop\shark test\desktop.ini	7zFM.exe
File created	C:\Users\Admin\Desktop\desktop.ini	7zFM.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	7zFM.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0005000000019627-38.dat	upx
behavioral1/memory/2948-40-0x000007FEF5780000-0x000007FEF5D6A000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1640	chrome.exe
1640	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2092	7zFM.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	2092	7zFM.exe
Token: 35	2092	7zFM.exe
Token: SeSecurityPrivilege	2092	7zFM.exe
Token: SeSecurityPrivilege	2092	7zFM.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe
Token: SeShutdownPrivilege	1640	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2092	7zFM.exe
2092	7zFM.exe
2092	7zFM.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe
1640	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2948	2712	sharkbotnetc2.exe	33
PID 2712 wrote to memory of 2948	2712	sharkbotnetc2.exe	33
PID 2712 wrote to memory of 2948	2712	sharkbotnetc2.exe	33
PID 1716 wrote to memory of 2832	1716	sharkbotnetc2.exe	37
PID 1716 wrote to memory of 2832	1716	sharkbotnetc2.exe	37
PID 1716 wrote to memory of 2832	1716	sharkbotnetc2.exe	37
PID 1640 wrote to memory of 1104	1640	chrome.exe	39
PID 1640 wrote to memory of 1104	1640	chrome.exe	39
PID 1640 wrote to memory of 1104	1640	chrome.exe	39
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 904	1640	chrome.exe	41
PID 1640 wrote to memory of 1592	1640	chrome.exe	42
PID 1640 wrote to memory of 1592	1640	chrome.exe	42
PID 1640 wrote to memory of 1592	1640	chrome.exe	42
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43
PID 1640 wrote to memory of 268	1640	chrome.exe	43

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\shark_botnet_c2.zip"
1⤵
- Drops desktop.ini file(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2092

C:\Users\Admin\Desktop\sharkbotnetc2.exe
"C:\Users\Admin\Desktop\sharkbotnetc2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Users\Admin\Desktop\sharkbotnetc2.exe
  "C:\Users\Admin\Desktop\sharkbotnetc2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2948

C:\Users\Admin\Desktop\shark test\sharkbotnetc2.exe
"C:\Users\Admin\Desktop\shark test\sharkbotnetc2.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\Desktop\shark test\sharkbotnetc2.exe
  "C:\Users\Admin\Desktop\shark test\sharkbotnetc2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6769758,0x7fef6769768,0x7fef6769778
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1088 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:2
  2⤵
  PID:904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:8
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1592 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:8
  2⤵
  PID:268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2256 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2264 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2832 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:2
  2⤵
  PID:2208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3172 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3760 --field-trial-handle=1376,i,4146766312786229057,17384950758864349227,131072 /prefetch:1
  2⤵
  PID:1412

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
24a3375355eb0c9cf051d4def1d76875

SHA1
dc9cfe35629b02e243881159c42561284b578be4

SHA256
176e8806bb3ffbd58ce92458382c2943b366a7fdab1cbf4bb56348f7a8f9b2cf

SHA512
5ae9963552aee736c2b8744f9996811e1ddcbc1cb673c918455e1630508d339e15a7fd05ea52b1bdce9b5e635d75f451e67e76416a1fb18c4a1babf3bb62895e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f80cb02efa37b4d49304221404baed7c

SHA1
f0da23171e491808ca6d0d886daca114a2e3ae0c

SHA256
80c799cb3d5cc7b51f103f50f4d36e89ea26b3edb86e31cd3259596d5d0a29e6

SHA512
525cb2d027e267ece8828fc6926250a023b9ddb73f18b7ff75818fec9be4eef3ac63e71d45ff87abe77d45a68325620f84f207259e4d5f2b3a8b74ce9e341dcd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27122\python311.dll

Filesize
1.6MB

MD5
1e76961ca11f929e4213fca8272d0194

SHA1
e52763b7ba970c3b14554065f8c2404112f53596

SHA256
8a0c27f9e5b2efd54e41d7e7067d7cb1c6d23bae5229f6d750f89568566227b0

SHA512
ec6ed913e0142a98cd7f6adced5671334ec6545e583284ae10627162b199e55867d7cf28efeaadce9862c978b01c234a850288e529d2d3e2ac7dbbb99c6cde9b

Download Submit
C:\Users\Admin\Desktop\shark test\desktop.ini

Filesize
46B

MD5
872114925d7c336f1b6bf220d3b2e6b7

SHA1
fdd8879ec71e545ba283215ce0c46178e496b513

SHA256
39a3309d74d55301f37ff757eb6f945ac86b310ac09198434f95d5e246aa5310

SHA512
dd5e003efa3f2b36395e79272d6b0d889471d0c8c5c076b7a1218acf7c00ee4c9660e4d1f49ed51a151d37dfd6fa29bd17d60e6508948b8bf4af39f33c135915

Download Submit
\Users\Admin\Desktop\sharkbotnetc2.exe

Filesize
6.9MB

MD5
54797b3e8dac7850a1985866ae500b0d

SHA1
faf0cba6cf510d7bf907a3802506c778381d58a9

SHA256
5e745e0b505d56d135db62d1fb40168905eb7492b75eaa58a8fcea7f9f6e602b

SHA512
787741afee2c9795ac05ce35862aa37a656cfd96edee4324997fbd62cc143559dded94cd08732ce981938dcf3375d77754cd3efb45f719fadec6a9338fdf6ae2

Download Submit
memory/2948-40-0x000007FEF5780000-0x000007FEF5D6A000-memory.dmp

Filesize
5.9MB

Download