Analysis
-
max time kernel
134s -
max time network
142s -
platform
windows7_x64 -
resource
win7-en-20211014 -
submitted
19-11-2021 20:38
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-en-20211014
Behavioral task
behavioral2
Sample
2.exe
Resource
win10-en-20211104
General
-
Target
2.exe
-
Size
8MB
-
MD5
b7d2178b855a201f4801c52991bf696e
-
SHA1
62429eeee9a7c9facf7b6be530f841e90b34dcba
-
SHA256
b99fe8335ed77a79bf9b98eb1f5b9179c6ad64951631e946636d87e146d8abd7
-
SHA512
0368531ee48e5ddf614b645dbcb0533e6342338311b26de734a48539127a250d9bec3e2e660bbdcb6b5b8d16172193385f5a58f18dd4855c5f14322e19f3ca13
Malware Config
Extracted
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\ReadMe.txt
sales@grsoftware.net
grsoftware@grsoftware.net
support@grsoftware.net
http://www.grsoftware.net/downloads/grbackpro/grbakpro.pdf
http://www.grsoftware.net/home/buynow.html
https://www.grsoftware.net
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
snmpmanager.exesnmpmanager.exepid process 240 snmpmanager.exe 1556 snmpmanager.exe -
Loads dropped DLL 3 IoCs
Processes:
2.exesnmpmanager.exesnmpmanager.exepid process 468 2.exe 240 snmpmanager.exe 1556 snmpmanager.exe -
Drops file in Windows directory 2 IoCs
Processes:
snmpmanager.exedescription ioc process File created C:\Windows\Tasks\wow64.job snmpmanager.exe File opened for modification C:\Windows\Tasks\wow64.job snmpmanager.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\pwt pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 12 IoCs
Processes:
snmpmanager.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration snmpmanager.exe Set value (data) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = 700cf5a38049ec118001444553540000 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstances snmpmanager.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
snmpmanager.exesnmpmanager.exepid process 240 snmpmanager.exe 1556 snmpmanager.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2.exetaskeng.exedescription pid process target process PID 468 wrote to memory of 240 468 2.exe snmpmanager.exe PID 468 wrote to memory of 240 468 2.exe snmpmanager.exe PID 468 wrote to memory of 240 468 2.exe snmpmanager.exe PID 468 wrote to memory of 240 468 2.exe snmpmanager.exe PID 968 wrote to memory of 1556 968 taskeng.exe snmpmanager.exe PID 968 wrote to memory of 1556 968 taskeng.exe snmpmanager.exe PID 968 wrote to memory of 1556 968 taskeng.exe snmpmanager.exe PID 968 wrote to memory of 1556 968 taskeng.exe snmpmanager.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe"C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4741⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {A5EEBF01-5B83-4300-89E7-90F435619E93} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe"C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exe" start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\pwtMD5
b96c921864afb25455285860307a47ac
SHA185555837a8299bfe5d75b8269ef8d98daa9c132a
SHA256677bc795baac677dcf6760d1f6fadcf191995c137bf583e695ac0b6ba112828d
SHA51290bb66eeeb5400b55549e1bf7ee98c07f65818cd038fe9c4858fd6cfba0ab0ae31529388a933d93c2c28642f3b4916d124e4812a5e6f147be1d24660d092707a
-
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
C:\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
\Users\Admin\AppData\Local\IIS Application Health Monitor Premium\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
memory/240-57-0x0000000000000000-mapping.dmp
-
memory/240-63-0x0000000004950000-0x0000000009A50000-memory.dmpFilesize
81MB
-
memory/468-55-0x00000000757A1000-0x00000000757A3000-memory.dmpFilesize
8KB
-
memory/1556-64-0x0000000000000000-mapping.dmp
-
memory/1556-68-0x0000000003690000-0x0000000008790000-memory.dmpFilesize
81MB