Analysis
-
max time kernel
61s -
max time network
32s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
26-11-2020 05:36
Static task
static1
URLScan task
urlscan1
Sample
http://69.51.24.27/uploads/soft/boohbahshell.exe
Behavioral task
behavioral1
Sample
http://69.51.24.27/uploads/soft/boohbahshell.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
http://69.51.24.27/uploads/soft/boohbahshell.exe
Resource
win7v20201028
Errors
General
-
Target
http://69.51.24.27/uploads/soft/boohbahshell.exe
-
Sample
201126-hzbrj7cvc2
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
boohbahshell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\WINDOWS\\boohbahshell.exe" boohbahshell.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
boohbahshell.exepid process 1652 boohbahshell.exe -
Modifies WinLogon to allow AutoLogon 2 TTPs 1 IoCs
Enables rebooting of the machine without requiring login credentials.
Processes:
LogonUI.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoLogonChecked LogonUI.exe -
Drops file in Windows directory 2 IoCs
Processes:
boohbahshell.exedescription ioc process File created C:\WINDOWS\boohbahshell.exe boohbahshell.exe File created C:\WINDOWS\boohbahmain.exe boohbahshell.exe -
Enumerates system info in registry 2 TTPs 32 IoCs
Processes:
csrss.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data csrss.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 csrss.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data csrss.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral csrss.exe -
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 109e690cbec3d601 iexplore.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45FFBE21-2FB1-11EB-BFD4-CE0E229A55E0} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe -
Modifies data under HKEY_USERS 9 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize" winlogon.exe Set value (data) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000 winlogon.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1" winlogon.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor" winlogon.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
Processes:
LogonUI.exewinlogon.exedescription pid process Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeBackupPrivilege 1656 winlogon.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeTcbPrivilege 1656 winlogon.exe Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeBackupPrivilege 1656 winlogon.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeBackupPrivilege 1656 winlogon.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeBackupPrivilege 1656 winlogon.exe Token: SeSecurityPrivilege 1656 winlogon.exe Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeShutdownPrivilege 1308 LogonUI.exe Token: SeShutdownPrivilege 1656 winlogon.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
iexplore.exepid process 1012 iexplore.exe 1012 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 1012 iexplore.exe 1012 iexplore.exe 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
iexplore.execsrss.exewinlogon.exedescription pid process target process PID 1012 wrote to memory of 1976 1012 iexplore.exe IEXPLORE.EXE PID 1012 wrote to memory of 1976 1012 iexplore.exe IEXPLORE.EXE PID 1012 wrote to memory of 1976 1012 iexplore.exe IEXPLORE.EXE PID 1012 wrote to memory of 1976 1012 iexplore.exe IEXPLORE.EXE PID 1012 wrote to memory of 1652 1012 iexplore.exe boohbahshell.exe PID 1012 wrote to memory of 1652 1012 iexplore.exe boohbahshell.exe PID 1012 wrote to memory of 1652 1012 iexplore.exe boohbahshell.exe PID 1012 wrote to memory of 1652 1012 iexplore.exe boohbahshell.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1656 wrote to memory of 1308 1656 winlogon.exe LogonUI.exe PID 1656 wrote to memory of 1308 1656 winlogon.exe LogonUI.exe PID 1656 wrote to memory of 1308 1656 winlogon.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe PID 1932 wrote to memory of 1308 1932 csrss.exe LogonUI.exe
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://69.51.24.27/uploads/soft/boohbahshell.exe1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1012 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\boohbahshell.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\boohbahshell.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x02⤵
- Modifies WinLogon to allow AutoLogon
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\boohbahshell.exeMD5
94e0fdb02e15e6aa0cbb0d0241a79c8d
SHA1fb2eae92ce3a5c8b558668db9ef5560451d6528d
SHA2561e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7
SHA512341b1de271b3e861b4c9deb2a1d2a6a017e1ae0ca1700283f990385156ea9e3928d0a3a19f54ee97e0bb9a2765b8c670660c0a13695a520f2b79bfdc3eb953cd
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\boohbahshell.exe.cr7uxdx.partialMD5
94e0fdb02e15e6aa0cbb0d0241a79c8d
SHA1fb2eae92ce3a5c8b558668db9ef5560451d6528d
SHA2561e43c91ddfe9fab0e41657d423fe3c4fb87aad1993e5fb3f173bb36a268273f7
SHA512341b1de271b3e861b4c9deb2a1d2a6a017e1ae0ca1700283f990385156ea9e3928d0a3a19f54ee97e0bb9a2765b8c670660c0a13695a520f2b79bfdc3eb953cd
-
memory/528-6-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/528-8-0x00000000027A0000-0x00000000027A1000-memory.dmpFilesize
4KB
-
memory/528-5-0x0000000002960000-0x0000000002961000-memory.dmpFilesize
4KB
-
memory/1308-10-0x0000000000000000-mapping.dmp
-
memory/1652-3-0x0000000000000000-mapping.dmp
-
memory/1656-26-0x0000000001F00000-0x0000000001F01000-memory.dmpFilesize
4KB
-
memory/1900-0-0x000007FEF7F80000-0x000007FEF81FA000-memory.dmpFilesize
2.5MB
-
memory/1932-11-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-13-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-14-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-15-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-16-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-17-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1932-41-0x00000000003D0000-0x00000000003D2000-memory.dmpFilesize
8KB
-
memory/1976-1-0x0000000000000000-mapping.dmp