Analysis
-
max time kernel
204s -
max time network
211s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 19:13
Behavioral task
behavioral1
Sample
Shelbag anylizer.exe
Resource
win7-20240221-en
Errors
General
-
Target
Shelbag anylizer.exe
-
Size
93KB
-
MD5
1ead93be70fe9a5c810e495eb7a03fda
-
SHA1
cc23e50346278e4e43cd555cef0f2717bb6b888a
-
SHA256
bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601
-
SHA512
76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb
-
SSDEEP
768:NY3KkgyYtrF4M5Y2XaxKlwnvhDL95XpJCTXTfGBqXxrjEtCdnl2pi1Rz4Rk38sGt:NkZYZpXajhLff2TfRjEwzGi1dDUDRgS
Malware Config
Signatures
-
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 2580 netsh.exe -
Drops startup file 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ebdc7b19669104b071decf7763dfb48Windows Update.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ebdc7b19669104b071decf7763dfb48Windows Update.exe server.exe -
Executes dropped EXE 1 IoCs
pid Process 2760 server.exe -
Loads dropped DLL 2 IoCs
pid Process 2784 Shelbag anylizer.exe 2784 Shelbag anylizer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
flow ioc 2 0.tcp.eu.ngrok.io -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe 2760 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2760 server.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2760 server.exe Token: SeIncBasePriorityPrivilege 2760 server.exe Token: 33 2600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2600 AUDIODG.EXE Token: 33 2600 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2600 AUDIODG.EXE Token: SeShutdownPrivilege 2376 shutdown.exe Token: SeRemoteShutdownPrivilege 2376 shutdown.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2760 2784 Shelbag anylizer.exe 28 PID 2784 wrote to memory of 2760 2784 Shelbag anylizer.exe 28 PID 2784 wrote to memory of 2760 2784 Shelbag anylizer.exe 28 PID 2784 wrote to memory of 2760 2784 Shelbag anylizer.exe 28 PID 2760 wrote to memory of 2580 2760 server.exe 29 PID 2760 wrote to memory of 2580 2760 server.exe 29 PID 2760 wrote to memory of 2580 2760 server.exe 29 PID 2760 wrote to memory of 2580 2760 server.exe 29 PID 2760 wrote to memory of 1208 2760 server.exe 36 PID 2760 wrote to memory of 1208 2760 server.exe 36 PID 2760 wrote to memory of 1208 2760 server.exe 36 PID 2760 wrote to memory of 1208 2760 server.exe 36 PID 1208 wrote to memory of 2376 1208 cmd.exe 38 PID 1208 wrote to memory of 2376 1208 cmd.exe 38 PID 1208 wrote to memory of 2376 1208 cmd.exe 38 PID 1208 wrote to memory of 2376 1208 cmd.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe"C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:2580
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB1E.tmp.BAT" "3⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\shutdown.exeshutdown -s -t 14⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}1⤵PID:1944
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:2396
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:2268
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37B
MD51cbc3a2f81d4259e3bf61249711fec81
SHA17ba62560df466c6dcd794854a25aeb5b088968d8
SHA2566a207f770478d59da0d2aa43a9719ef05b3f85c8c700400746ca3ab0463d08f0
SHA51274ba85a391d769686c95001af6e29f9fe2ccaa4d119247fac31e65c8becda7be1ea9fa3eb9f2a06c1d48ac4b580ad8e63c14e06d94e8dd07b26129df7f1f4bc0
-
Filesize
5B
MD58f11404a507cfb98455f89a534077f73
SHA10716c668f504450353527aff1a6457b8348cf435
SHA256f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb
SHA51285403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492
-
Filesize
93KB
MD51ead93be70fe9a5c810e495eb7a03fda
SHA1cc23e50346278e4e43cd555cef0f2717bb6b888a
SHA256bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601
SHA51276828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb