Analysis

  • max time kernel
    204s
  • max time network
    211s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 19:13

Errors

Reason
Machine shutdown

General

  • Target

    Shelbag anylizer.exe

  • Size

    93KB

  • MD5

    1ead93be70fe9a5c810e495eb7a03fda

  • SHA1

    cc23e50346278e4e43cd555cef0f2717bb6b888a

  • SHA256

    bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601

  • SHA512

    76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb

  • SSDEEP

    768:NY3KkgyYtrF4M5Y2XaxKlwnvhDL95XpJCTXTfGBqXxrjEtCdnl2pi1Rz4Rk38sGt:NkZYZpXajhLff2TfRjEwzGi1dDUDRgS

Score
8/10

Malware Config

Signatures

  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe
    "C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2784
    • C:\Users\Admin\AppData\Roaming\server.exe
      "C:\Users\Admin\AppData\Roaming\server.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\netsh.exe
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
        3⤵
        • Modifies Windows Firewall
        PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAB1E.tmp.BAT" "
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown -s -t 1
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2376
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:1944
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x598
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2600
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x0
      1⤵
        PID:2396
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x1
        1⤵
          PID:2268

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpAB1E.tmp.BAT

          Filesize

          37B

          MD5

          1cbc3a2f81d4259e3bf61249711fec81

          SHA1

          7ba62560df466c6dcd794854a25aeb5b088968d8

          SHA256

          6a207f770478d59da0d2aa43a9719ef05b3f85c8c700400746ca3ab0463d08f0

          SHA512

          74ba85a391d769686c95001af6e29f9fe2ccaa4d119247fac31e65c8becda7be1ea9fa3eb9f2a06c1d48ac4b580ad8e63c14e06d94e8dd07b26129df7f1f4bc0

        • C:\Users\Admin\AppData\Roaming\app

          Filesize

          5B

          MD5

          8f11404a507cfb98455f89a534077f73

          SHA1

          0716c668f504450353527aff1a6457b8348cf435

          SHA256

          f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb

          SHA512

          85403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492

        • C:\Users\Admin\AppData\Roaming\server.exe

          Filesize

          93KB

          MD5

          1ead93be70fe9a5c810e495eb7a03fda

          SHA1

          cc23e50346278e4e43cd555cef0f2717bb6b888a

          SHA256

          bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601

          SHA512

          76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb

        • memory/2760-16-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2760-15-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2760-17-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2760-25-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2760-26-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2760-27-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2760-40-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2784-14-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2784-0-0x0000000074061000-0x0000000074062000-memory.dmp

          Filesize

          4KB

        • memory/2784-2-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB

        • memory/2784-1-0x0000000074060000-0x000000007460B000-memory.dmp

          Filesize

          5.7MB