Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 19:13
Behavioral task
behavioral1
Sample
Shelbag anylizer.exe
Resource
win7-20240221-en
General
-
Target
Shelbag anylizer.exe
-
Size
93KB
-
MD5
1ead93be70fe9a5c810e495eb7a03fda
-
SHA1
cc23e50346278e4e43cd555cef0f2717bb6b888a
-
SHA256
bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601
-
SHA512
76828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb
-
SSDEEP
768:NY3KkgyYtrF4M5Y2XaxKlwnvhDL95XpJCTXTfGBqXxrjEtCdnl2pi1Rz4Rk38sGt:NkZYZpXajhLff2TfRjEwzGi1dDUDRgS
Malware Config
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral2/files/0x00080000000233d9-34.dat family_umbral behavioral2/memory/3828-41-0x0000026A533E0000-0x0000026A53420000-memory.dmp family_umbral -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4460 powershell.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts tmp397A.tmp.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4044 netsh.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Shelbag anylizer.exe Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation server.exe -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.exe server.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ebdc7b19669104b071decf7763dfb48Windows Update.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5ebdc7b19669104b071decf7763dfb48Windows Update.exe server.exe -
Executes dropped EXE 2 IoCs
pid Process 1732 server.exe 3828 tmp397A.tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
flow ioc 14 0.tcp.eu.ngrok.io 43 discord.com 44 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 34 ip-api.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\Explower.exe server.exe File opened for modification C:\Windows\SysWOW64\Explower.exe server.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 4620 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1484 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe 1732 server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1732 server.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1732 server.exe Token: 33 1732 server.exe Token: SeIncBasePriorityPrivilege 1732 server.exe Token: 33 1732 server.exe Token: SeIncBasePriorityPrivilege 1732 server.exe Token: 33 1732 server.exe Token: SeIncBasePriorityPrivilege 1732 server.exe Token: 33 1732 server.exe Token: SeIncBasePriorityPrivilege 1732 server.exe Token: 33 1732 server.exe Token: SeIncBasePriorityPrivilege 1732 server.exe Token: 33 1732 server.exe Token: SeIncBasePriorityPrivilege 1732 server.exe Token: SeDebugPrivilege 3828 tmp397A.tmp.exe Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: 36 2064 wmic.exe Token: SeIncreaseQuotaPrivilege 2064 wmic.exe Token: SeSecurityPrivilege 2064 wmic.exe Token: SeTakeOwnershipPrivilege 2064 wmic.exe Token: SeLoadDriverPrivilege 2064 wmic.exe Token: SeSystemProfilePrivilege 2064 wmic.exe Token: SeSystemtimePrivilege 2064 wmic.exe Token: SeProfSingleProcessPrivilege 2064 wmic.exe Token: SeIncBasePriorityPrivilege 2064 wmic.exe Token: SeCreatePagefilePrivilege 2064 wmic.exe Token: SeBackupPrivilege 2064 wmic.exe Token: SeRestorePrivilege 2064 wmic.exe Token: SeShutdownPrivilege 2064 wmic.exe Token: SeDebugPrivilege 2064 wmic.exe Token: SeSystemEnvironmentPrivilege 2064 wmic.exe Token: SeRemoteShutdownPrivilege 2064 wmic.exe Token: SeUndockPrivilege 2064 wmic.exe Token: SeManageVolumePrivilege 2064 wmic.exe Token: 33 2064 wmic.exe Token: 34 2064 wmic.exe Token: 35 2064 wmic.exe Token: 36 2064 wmic.exe Token: SeDebugPrivilege 4460 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2392 powershell.exe Token: SeDebugPrivilege 1568 powershell.exe Token: SeIncreaseQuotaPrivilege 4388 wmic.exe Token: SeSecurityPrivilege 4388 wmic.exe Token: SeTakeOwnershipPrivilege 4388 wmic.exe Token: SeLoadDriverPrivilege 4388 wmic.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1732 server.exe 1732 server.exe 1732 server.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 4944 wrote to memory of 1732 4944 Shelbag anylizer.exe 81 PID 4944 wrote to memory of 1732 4944 Shelbag anylizer.exe 81 PID 4944 wrote to memory of 1732 4944 Shelbag anylizer.exe 81 PID 1732 wrote to memory of 4044 1732 server.exe 82 PID 1732 wrote to memory of 4044 1732 server.exe 82 PID 1732 wrote to memory of 4044 1732 server.exe 82 PID 1732 wrote to memory of 3828 1732 server.exe 87 PID 1732 wrote to memory of 3828 1732 server.exe 87 PID 3828 wrote to memory of 2064 3828 tmp397A.tmp.exe 88 PID 3828 wrote to memory of 2064 3828 tmp397A.tmp.exe 88 PID 3828 wrote to memory of 3164 3828 tmp397A.tmp.exe 90 PID 3828 wrote to memory of 3164 3828 tmp397A.tmp.exe 90 PID 3828 wrote to memory of 4460 3828 tmp397A.tmp.exe 92 PID 3828 wrote to memory of 4460 3828 tmp397A.tmp.exe 92 PID 3828 wrote to memory of 2848 3828 tmp397A.tmp.exe 94 PID 3828 wrote to memory of 2848 3828 tmp397A.tmp.exe 94 PID 3828 wrote to memory of 2392 3828 tmp397A.tmp.exe 96 PID 3828 wrote to memory of 2392 3828 tmp397A.tmp.exe 96 PID 3828 wrote to memory of 1568 3828 tmp397A.tmp.exe 98 PID 3828 wrote to memory of 1568 3828 tmp397A.tmp.exe 98 PID 3828 wrote to memory of 4388 3828 tmp397A.tmp.exe 101 PID 3828 wrote to memory of 4388 3828 tmp397A.tmp.exe 101 PID 3828 wrote to memory of 1492 3828 tmp397A.tmp.exe 103 PID 3828 wrote to memory of 1492 3828 tmp397A.tmp.exe 103 PID 3828 wrote to memory of 2368 3828 tmp397A.tmp.exe 105 PID 3828 wrote to memory of 2368 3828 tmp397A.tmp.exe 105 PID 3828 wrote to memory of 4068 3828 tmp397A.tmp.exe 107 PID 3828 wrote to memory of 4068 3828 tmp397A.tmp.exe 107 PID 3828 wrote to memory of 4620 3828 tmp397A.tmp.exe 109 PID 3828 wrote to memory of 4620 3828 tmp397A.tmp.exe 109 PID 3828 wrote to memory of 1344 3828 tmp397A.tmp.exe 111 PID 3828 wrote to memory of 1344 3828 tmp397A.tmp.exe 111 PID 1344 wrote to memory of 1484 1344 cmd.exe 113 PID 1344 wrote to memory of 1484 1344 cmd.exe 113 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 3164 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe"C:\Users\Admin\AppData\Local\Temp\Shelbag anylizer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Users\Admin\AppData\Roaming\server.exe"C:\Users\Admin\AppData\Roaming\server.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:4044
-
-
C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
-
C:\Windows\SYSTEM32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe"4⤵
- Views/modifies file attributes
PID:3164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 24⤵
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4388
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory4⤵PID:1492
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid4⤵PID:2368
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER4⤵PID:4068
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name4⤵
- Detects videocard installed
PID:4620
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\tmp397A.tmp.exe" && pause4⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\PING.EXEping localhost5⤵
- Runs ping.exe
PID:1484
-
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3292
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
1KB
MD5276798eeb29a49dc6e199768bc9c2e71
SHA15fdc8ccb897ac2df7476fbb07517aca5b7a6205b
SHA256cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc
SHA5120d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2
-
Filesize
1KB
MD542a3371c158c084274bcac1936ac12b9
SHA16546651385520affc9708114cb8341a84d2b1a37
SHA256194e06cc86ef254e19e302090e956c65302b1c48c2bb2404c15d5f32537418e5
SHA512e102c4117c9a0a1377295f773f8567ac5f7f8811950300d004c5525d25b15d49edfae64b09b88e041435a9abb37c3d7ded31aa1a6d4c525fe1cb9c5365ad6690
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
948B
MD5966914e2e771de7a4a57a95b6ecfa8a9
SHA17a32282fd51dd032967ed4d9a40cc57e265aeff2
SHA25698d3c70d7004fa807897317bd6cd3e977b9b6c72d4d2565aca0f9f8b1c315cba
SHA512dc39c7124a9c7c8d4c7e8e16290c46360b8d9a8f4e43edaacbbeb09bdcf20159a53db54d2b322372001b6a3de52b2f88e9088b5fdbc7638816ae0d122bb015f5
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
229KB
MD55fed770815d7cf7b02aaae74b88bc714
SHA104099bfd6e5c89ee51296afd86ec3bed6ddac845
SHA256290a02feff29e0cdfa6a4e70d2c2e330806b4768ea4c3ff4e3eb4588522d15c1
SHA512a515102a99ec842bb576851e57fca15ebc41dc92678f8f98d9810d5725a51ba035e9147ba5fb7297f79e06e7905669269b560f07999737ad8a61311d70968cb6
-
Filesize
5B
MD58f11404a507cfb98455f89a534077f73
SHA10716c668f504450353527aff1a6457b8348cf435
SHA256f7c301f3fcce1c2444b540090e5024f0cea1806ab8ae1d81901ecc3b63334cbb
SHA51285403dd06da5851e8c4d727ca8d87cc0e7ff4974942ec22123366684ed0e51b543a29b6d2521e2e65784c69884fde8d711e5064f104b098293fcd18c44769492
-
Filesize
93KB
MD51ead93be70fe9a5c810e495eb7a03fda
SHA1cc23e50346278e4e43cd555cef0f2717bb6b888a
SHA256bdcfadcd70c3f7257a4b76181146424698309059fa089a6d7a83a76ea063c601
SHA51276828126e5994e01e31a027fa86a5d87aa0f278e6799e54fdf4f9429a746406621e4db6e57aac3d8421fa046efe66e089e35ea44ea516f2a20fce827dba12fbb