Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 21:58
Behavioral task
behavioral1
Sample
Shellbag anylizer.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Shellbag anylizer.exe
Resource
win10v2004-20240508-en
General
-
Target
Shellbag anylizer.exe
-
Size
69KB
-
MD5
a498059077fb136b7d57ef6f00dcae46
-
SHA1
77421f91ed2c1586419128bd4687241050d712cc
-
SHA256
8f2d3eeab5e5d807acff4be9b7d6b41340f0c8a891baa094543d10e65ccec7f2
-
SHA512
3bec766aa97ed8b89c8be1c4da89befc5f22217637f72d158753996b2ed74439cf485e7692f4f1fa522d31ceb608c86b9035e9c594fcb147a91edf4547ac14c3
-
SSDEEP
1536:bS3U8pWjIK2vvt8yAnkEZ6sPvWybW46zaQInA6dylkYcdOisYt2jNsXr:bWfWjXENk6wpbW4B9SSOisYsxer
Malware Config
Extracted
xworm
-
Install_directory
%Temp%
-
install_file
svchost.exe
-
pastebin_url
https://pastebin.com/raw/qEVZXv39
Extracted
umbral
https://discord.com/api/webhooks/1228033288061583443/fMN2NuuQRV7pkiIZ0PwY980zozE_UYckmNOKmsrzvNf0xKeDmgGvDkNwC07bWCnl3OgB
Signatures
-
Detect Umbral payload 2 IoCs
resource yara_rule behavioral1/files/0x0004000000004ed7-37.dat family_umbral behavioral1/memory/1908-39-0x0000000000DD0000-0x0000000000E10000-memory.dmp family_umbral -
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2648-1-0x00000000002F0000-0x0000000000308000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2712 powershell.exe 1828 powershell.exe 2600 powershell.exe 1296 powershell.exe 2088 powershell.exe -
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\etc\hosts mnthmv.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Shellbag anylizer.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Shellbag anylizer.exe -
Executes dropped EXE 1 IoCs
pid Process 1908 mnthmv.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe" Shellbag anylizer.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 14 discord.com 15 discord.com 4 pastebin.com 5 pastebin.com 6 2.tcp.eu.ngrok.io -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 ip-api.com 2 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.
pid Process 2360 wmic.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1856 PING.EXE -
Suspicious behavior: EnumeratesProcesses 30 IoCs
pid Process 2712 powershell.exe 1828 powershell.exe 2600 powershell.exe 1296 powershell.exe 1908 mnthmv.exe 2088 powershell.exe 1296 powershell.exe 2776 powershell.exe 2072 powershell.exe 108 powershell.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2648 Shellbag anylizer.exe Token: SeDebugPrivilege 2712 powershell.exe Token: SeDebugPrivilege 1828 powershell.exe Token: SeDebugPrivilege 2600 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2648 Shellbag anylizer.exe Token: SeDebugPrivilege 1908 mnthmv.exe Token: SeIncreaseQuotaPrivilege 2396 wmic.exe Token: SeSecurityPrivilege 2396 wmic.exe Token: SeTakeOwnershipPrivilege 2396 wmic.exe Token: SeLoadDriverPrivilege 2396 wmic.exe Token: SeSystemProfilePrivilege 2396 wmic.exe Token: SeSystemtimePrivilege 2396 wmic.exe Token: SeProfSingleProcessPrivilege 2396 wmic.exe Token: SeIncBasePriorityPrivilege 2396 wmic.exe Token: SeCreatePagefilePrivilege 2396 wmic.exe Token: SeBackupPrivilege 2396 wmic.exe Token: SeRestorePrivilege 2396 wmic.exe Token: SeShutdownPrivilege 2396 wmic.exe Token: SeDebugPrivilege 2396 wmic.exe Token: SeSystemEnvironmentPrivilege 2396 wmic.exe Token: SeRemoteShutdownPrivilege 2396 wmic.exe Token: SeUndockPrivilege 2396 wmic.exe Token: SeManageVolumePrivilege 2396 wmic.exe Token: 33 2396 wmic.exe Token: 34 2396 wmic.exe Token: 35 2396 wmic.exe Token: SeIncreaseQuotaPrivilege 2396 wmic.exe Token: SeSecurityPrivilege 2396 wmic.exe Token: SeTakeOwnershipPrivilege 2396 wmic.exe Token: SeLoadDriverPrivilege 2396 wmic.exe Token: SeSystemProfilePrivilege 2396 wmic.exe Token: SeSystemtimePrivilege 2396 wmic.exe Token: SeProfSingleProcessPrivilege 2396 wmic.exe Token: SeIncBasePriorityPrivilege 2396 wmic.exe Token: SeCreatePagefilePrivilege 2396 wmic.exe Token: SeBackupPrivilege 2396 wmic.exe Token: SeRestorePrivilege 2396 wmic.exe Token: SeShutdownPrivilege 2396 wmic.exe Token: SeDebugPrivilege 2396 wmic.exe Token: SeSystemEnvironmentPrivilege 2396 wmic.exe Token: SeRemoteShutdownPrivilege 2396 wmic.exe Token: SeUndockPrivilege 2396 wmic.exe Token: SeManageVolumePrivilege 2396 wmic.exe Token: 33 2396 wmic.exe Token: 34 2396 wmic.exe Token: 35 2396 wmic.exe Token: SeDebugPrivilege 2088 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe Token: SeDebugPrivilege 2072 powershell.exe Token: SeIncreaseQuotaPrivilege 2184 wmic.exe Token: SeSecurityPrivilege 2184 wmic.exe Token: SeTakeOwnershipPrivilege 2184 wmic.exe Token: SeLoadDriverPrivilege 2184 wmic.exe Token: SeSystemProfilePrivilege 2184 wmic.exe Token: SeSystemtimePrivilege 2184 wmic.exe Token: SeProfSingleProcessPrivilege 2184 wmic.exe Token: SeIncBasePriorityPrivilege 2184 wmic.exe Token: SeCreatePagefilePrivilege 2184 wmic.exe Token: SeBackupPrivilege 2184 wmic.exe Token: SeRestorePrivilege 2184 wmic.exe Token: SeShutdownPrivilege 2184 wmic.exe Token: SeDebugPrivilege 2184 wmic.exe -
Suspicious use of FindShellTrayWindow 32 IoCs
pid Process 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe 1556 taskmgr.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2712 2648 Shellbag anylizer.exe 29 PID 2648 wrote to memory of 2712 2648 Shellbag anylizer.exe 29 PID 2648 wrote to memory of 2712 2648 Shellbag anylizer.exe 29 PID 2648 wrote to memory of 1828 2648 Shellbag anylizer.exe 31 PID 2648 wrote to memory of 1828 2648 Shellbag anylizer.exe 31 PID 2648 wrote to memory of 1828 2648 Shellbag anylizer.exe 31 PID 2648 wrote to memory of 2600 2648 Shellbag anylizer.exe 33 PID 2648 wrote to memory of 2600 2648 Shellbag anylizer.exe 33 PID 2648 wrote to memory of 2600 2648 Shellbag anylizer.exe 33 PID 2648 wrote to memory of 1296 2648 Shellbag anylizer.exe 35 PID 2648 wrote to memory of 1296 2648 Shellbag anylizer.exe 35 PID 2648 wrote to memory of 1296 2648 Shellbag anylizer.exe 35 PID 2648 wrote to memory of 1908 2648 Shellbag anylizer.exe 39 PID 2648 wrote to memory of 1908 2648 Shellbag anylizer.exe 39 PID 2648 wrote to memory of 1908 2648 Shellbag anylizer.exe 39 PID 1908 wrote to memory of 2396 1908 mnthmv.exe 40 PID 1908 wrote to memory of 2396 1908 mnthmv.exe 40 PID 1908 wrote to memory of 2396 1908 mnthmv.exe 40 PID 1908 wrote to memory of 2800 1908 mnthmv.exe 42 PID 1908 wrote to memory of 2800 1908 mnthmv.exe 42 PID 1908 wrote to memory of 2800 1908 mnthmv.exe 42 PID 1908 wrote to memory of 2088 1908 mnthmv.exe 44 PID 1908 wrote to memory of 2088 1908 mnthmv.exe 44 PID 1908 wrote to memory of 2088 1908 mnthmv.exe 44 PID 1908 wrote to memory of 1296 1908 mnthmv.exe 46 PID 1908 wrote to memory of 1296 1908 mnthmv.exe 46 PID 1908 wrote to memory of 1296 1908 mnthmv.exe 46 PID 1908 wrote to memory of 2776 1908 mnthmv.exe 48 PID 1908 wrote to memory of 2776 1908 mnthmv.exe 48 PID 1908 wrote to memory of 2776 1908 mnthmv.exe 48 PID 1908 wrote to memory of 2072 1908 mnthmv.exe 50 PID 1908 wrote to memory of 2072 1908 mnthmv.exe 50 PID 1908 wrote to memory of 2072 1908 mnthmv.exe 50 PID 1908 wrote to memory of 2184 1908 mnthmv.exe 52 PID 1908 wrote to memory of 2184 1908 mnthmv.exe 52 PID 1908 wrote to memory of 2184 1908 mnthmv.exe 52 PID 1908 wrote to memory of 2252 1908 mnthmv.exe 54 PID 1908 wrote to memory of 2252 1908 mnthmv.exe 54 PID 1908 wrote to memory of 2252 1908 mnthmv.exe 54 PID 1908 wrote to memory of 2400 1908 mnthmv.exe 56 PID 1908 wrote to memory of 2400 1908 mnthmv.exe 56 PID 1908 wrote to memory of 2400 1908 mnthmv.exe 56 PID 1908 wrote to memory of 108 1908 mnthmv.exe 58 PID 1908 wrote to memory of 108 1908 mnthmv.exe 58 PID 1908 wrote to memory of 108 1908 mnthmv.exe 58 PID 1908 wrote to memory of 2360 1908 mnthmv.exe 60 PID 1908 wrote to memory of 2360 1908 mnthmv.exe 60 PID 1908 wrote to memory of 2360 1908 mnthmv.exe 60 PID 1908 wrote to memory of 832 1908 mnthmv.exe 62 PID 1908 wrote to memory of 832 1908 mnthmv.exe 62 PID 1908 wrote to memory of 832 1908 mnthmv.exe 62 PID 832 wrote to memory of 1856 832 cmd.exe 64 PID 832 wrote to memory of 1856 832 cmd.exe 64 PID 832 wrote to memory of 1856 832 cmd.exe 64 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2800 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe"C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Shellbag anylizer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Shellbag anylizer.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1828
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Users\Admin\AppData\Local\Temp\mnthmv.exe"C:\Users\Admin\AppData\Local\Temp\mnthmv.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
-
C:\Windows\system32\attrib.exe"attrib.exe" +h +s "C:\Users\Admin\AppData\Local\Temp\mnthmv.exe"3⤵
- Views/modifies file attributes
PID:2800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mnthmv.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 23⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path HKLN:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2072
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" os get Caption3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" computersystem get totalphysicalmemory3⤵PID:2252
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER3⤵
- Suspicious behavior: EnumeratesProcesses
PID:108
-
-
C:\Windows\System32\Wbem\wmic.exe"wmic" path win32_VideoController get name3⤵
- Detects videocard installed
PID:2360
-
-
C:\Windows\system32\cmd.exe"cmd.exe" /c ping localhost && del /F /A h "C:\Users\Admin\AppData\Local\Temp\mnthmv.exe" && pause3⤵
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\system32\PING.EXEping localhost4⤵
- Runs ping.exe
PID:1856
-
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5c1396bccadcf38da92065ac10a8228c0
SHA1fa1268895c988b3739e951d178921f16045c8d32
SHA256dafcf88f0bbeddac51648092074624a384fc72e1e38140cde574c90f1d02161a
SHA512885c98488af85742b2450d740f1b585f2b98ed6e0725576b4643ab8cc8b7bce670a5e497de6e813afc4592e451c4146c2d911bcdc0cff31ea2048e42f2eda082
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5a66a573049a7b04d74d653862e3243db
SHA1e2025a07bb9052d9fd3345a5955cd247358654dd
SHA25630a2cbad9908ca0d05e4ab31c6eb9947314d4f6c824d6eed9e96cf9fbae983b0
SHA51296b57b5cb8e549747d7f8d4bf5af948138557ada26cf869f6deb9fb9c2225378ff17a6534d4f4174c5cd6b147550a0c07c6a45f33f7dcb930cdc0113f111af8e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5d7f7d5067468012d0c23803a69861a75
SHA143141c076fda7e3dcbe10d8b290228365925e20d
SHA2560507e6e535a51ed83ae133fae084e7e8bb91926bd88787bb03fc0c383aa1f9e2
SHA512a8b48d5e92c5b9d94aeb38258f2199981866b8b4dde30479418fa838053c98abb5c546a71e7fda72f23d179e64d52aae0348e87860316447394109749256d682