c98c7bdc88503df4eb5ef21506fc42d028f949807b959b3ff67f21964a2c0b85

General

Target

shellbag anylizer.exe
Size

303KB
MD5

88e30898471b07ab0ac563e4bdf99764
SHA1

8b07516da87dc75c9860954af5f6a3a0e7e95ac3
SHA256

c98c7bdc88503df4eb5ef21506fc42d028f949807b959b3ff67f21964a2c0b85
SHA512

b06fe916f11b09b5f98469282e99f783d380481a1bb0230be32d7853675b90f3b9110c8688532d168a80a53d4d380c4c711677b05578a10476d238db812ce591
SSDEEP

1536:T2JYEMehJ9E1QomvlGTqGXfFHfrXEvIzVAXuiRp6EE8bMlnEfwGzod8MddBK1Ohc:avhJ9E1l0cjbpxiBYe1oUJ2hsOFlD

Score

8^/10

evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1484 attrib.exe
2208 attrib.exe
Executes dropped EXE 1 IoCs

Processes:

$77update.exe

pid process

2720 $77update.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

2780 cmd.exe

pid	process
1484	attrib.exe
2208	attrib.exe

pid	process
2720	$77update.exe

pid	process
2780	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

shellbag anylizer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "\"C:\\Users\\Admin\\update\\$77update.exe\""	shellbag anylizer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

Processes:

flow	ioc
4	pastebin.com
5	pastebin.com
6	4.tcp.eu.ngrok.io
52	4.tcp.eu.ngrok.io
155	6.tcp.eu.ngrok.io
48	4.tcp.eu.ngrok.io
94	6.tcp.eu.ngrok.io
98	pastebin.com
99	pastebin.com
100	6.tcp.eu.ngrok.io
111	6.tcp.eu.ngrok.io
191	6.tcp.eu.ngrok.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2556 timeout.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2580 schtasks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

shellbag anylizer.exe

pid process

760 shellbag anylizer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

shellbag anylizer.exe$77update.exe

description pid process

Token: SeDebugPrivilege 760 shellbag anylizer.exe
Token: SeDebugPrivilege 2720 $77update.exe

pid	process
2556	timeout.exe

pid	process
2580	schtasks.exe

pid	process
760	shellbag anylizer.exe

description	pid	process
Token: SeDebugPrivilege	760	shellbag anylizer.exe
Token: SeDebugPrivilege	2720	$77update.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

shellbag anylizer.execmd.exe$77update.exe

description	pid	process	target process
PID 760 wrote to memory of 1484	760	shellbag anylizer.exe	attrib.exe
PID 760 wrote to memory of 1484	760	shellbag anylizer.exe	attrib.exe
PID 760 wrote to memory of 1484	760	shellbag anylizer.exe	attrib.exe
PID 760 wrote to memory of 2208	760	shellbag anylizer.exe	attrib.exe
PID 760 wrote to memory of 2208	760	shellbag anylizer.exe	attrib.exe
PID 760 wrote to memory of 2208	760	shellbag anylizer.exe	attrib.exe
PID 760 wrote to memory of 2780	760	shellbag anylizer.exe	cmd.exe
PID 760 wrote to memory of 2780	760	shellbag anylizer.exe	cmd.exe
PID 760 wrote to memory of 2780	760	shellbag anylizer.exe	cmd.exe
PID 2780 wrote to memory of 2556	2780	cmd.exe	timeout.exe
PID 2780 wrote to memory of 2556	2780	cmd.exe	timeout.exe
PID 2780 wrote to memory of 2556	2780	cmd.exe	timeout.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	$77update.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	$77update.exe
PID 2780 wrote to memory of 2720	2780	cmd.exe	$77update.exe
PID 2720 wrote to memory of 2536	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2536	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2536	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2580	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2580	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2580	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2700	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2700	2720	$77update.exe	schtasks.exe
PID 2720 wrote to memory of 2700	2720	$77update.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

2208 attrib.exe
1484 attrib.exe

pid	process
2208	attrib.exe
1484	attrib.exe

C:\Users\Admin\AppData\Local\Temp\shellbag anylizer.exe
"C:\Users\Admin\AppData\Local\Temp\shellbag anylizer.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\update"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1484
- C:\Windows\System32\attrib.exe
  "C:\Windows\System32\attrib.exe" +s +h "C:\Users\Admin\update\$77update.exe"
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:2208
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2556
- - C:\Users\Admin\update\$77update.exe
    "C:\Users\Admin\update\$77update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77update.exe
      4⤵
      PID:2536
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /Create /SC ONCE /TN "$77update.exe" /TR "C:\Users\Admin\update\$77update.exe \"\$77update.exe\" /AsAdmin" /ST 00:01 /IT /F /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2580
  - - C:\Windows\system32\schtasks.exe
      "schtasks.exe" /query /TN $77update.exe
      4⤵
      PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Hide Artifacts

2

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab396A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6EE9.tmp.bat

Filesize
144B

MD5
25fc4f1c62fa5af70f3e664f81a51256

SHA1
d878f8d9b2715cd5551da9aff4331d6c17637446

SHA256
35cba7a0b5ec53ea071b4c93eb0f726f9a073775c0c38f07e18af2f7b613966b

SHA512
012066be796e9fb1097c3a6754f6f9acf1d22fe6c1edc1a327bec6bfb5e571a2272094a39875863528df10371e3535a59efe7662d933ad878aa077522445b39a

Download Submit
C:\Users\Admin\update\$77update.exe

Filesize
303KB

MD5
88e30898471b07ab0ac563e4bdf99764

SHA1
8b07516da87dc75c9860954af5f6a3a0e7e95ac3

SHA256
c98c7bdc88503df4eb5ef21506fc42d028f949807b959b3ff67f21964a2c0b85

SHA512
b06fe916f11b09b5f98469282e99f783d380481a1bb0230be32d7853675b90f3b9110c8688532d168a80a53d4d380c4c711677b05578a10476d238db812ce591

Download Submit
memory/760-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/760-1-0x000000013FF60000-0x000000013FFB0000-memory.dmp

Filesize
320KB

Download
memory/760-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/760-12-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2720-15-0x000000013F7B0000-0x000000013F800000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads