Analysis

  • max time kernel
    129s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    19-11-2021 20:47

General

  • Target

    3.exe

  • Size

    8.5MB

  • MD5

    3fe5131654f0ca2a014bcf10e7cc56b5

  • SHA1

    02dc19c144158b2cc776070ed059d282438c79c2

  • SHA256

    b14bc0169039b8ed857f2cd4e6e3a9dc688227491cde1d2f25f2cf18679a994e

  • SHA512

    5db3ff8f12d90ea34fdad46d12d01c6c1c0ce93e8c0b3868e913ec457f689589afe15c300de310ba030335d66006c9376da9393c749ec9b0b508b64ef980106b

Score
10/10

Malware Config

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • Drops file in Windows directory 2 IoCs
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmp" /SL5="$40118,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:764
      • C:\Users\Admin\AppData\Local\Temp\3.exe
        "C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:568
        • C:\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmp" /SL5="$50118,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:108
          • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
            "C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:972
  • C:\Windows\system32\AUDIODG.EXE
    C:\Windows\system32\AUDIODG.EXE 0x540
    1⤵
      PID:1632
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {D3F43698-780B-4315-967F-82C045A14327} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1340
      • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
        "C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe" start
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies data under HKEY_USERS
        • Suspicious use of SetWindowsHookEx
        PID:1044

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmp
      MD5

      30aeaad15ad87b79ca3d66cfab0b3ff3

      SHA1

      ff465eb67fbf9c2575bebcd0e7ece94d2c90560d

      SHA256

      d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a

      SHA512

      825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11

    • C:\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmp
      MD5

      30aeaad15ad87b79ca3d66cfab0b3ff3

      SHA1

      ff465eb67fbf9c2575bebcd0e7ece94d2c90560d

      SHA256

      d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a

      SHA512

      825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11

    • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dll
      MD5

      3e90cf9f12da95d5c248d6f51ed2cc81

      SHA1

      9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

      SHA256

      8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

      SHA512

      925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

    • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\pwt
      MD5

      b96c921864afb25455285860307a47ac

      SHA1

      85555837a8299bfe5d75b8269ef8d98daa9c132a

      SHA256

      677bc795baac677dcf6760d1f6fadcf191995c137bf583e695ac0b6ba112828d

      SHA512

      90bb66eeeb5400b55549e1bf7ee98c07f65818cd038fe9c4858fd6cfba0ab0ae31529388a933d93c2c28642f3b4916d124e4812a5e6f147be1d24660d092707a

    • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
      MD5

      4474b0449b173664ec17a6f98e15b728

      SHA1

      fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

      SHA256

      78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

      SHA512

      74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

    • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
      MD5

      4474b0449b173664ec17a6f98e15b728

      SHA1

      fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

      SHA256

      78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

      SHA512

      74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

    • \Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmp
      MD5

      30aeaad15ad87b79ca3d66cfab0b3ff3

      SHA1

      ff465eb67fbf9c2575bebcd0e7ece94d2c90560d

      SHA256

      d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a

      SHA512

      825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11

    • \Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmp
      MD5

      30aeaad15ad87b79ca3d66cfab0b3ff3

      SHA1

      ff465eb67fbf9c2575bebcd0e7ece94d2c90560d

      SHA256

      d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a

      SHA512

      825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11

    • \Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dll
      MD5

      3e90cf9f12da95d5c248d6f51ed2cc81

      SHA1

      9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

      SHA256

      8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

      SHA512

      925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

    • \Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dll
      MD5

      3e90cf9f12da95d5c248d6f51ed2cc81

      SHA1

      9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

      SHA256

      8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

      SHA512

      925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

    • \Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
      MD5

      4474b0449b173664ec17a6f98e15b728

      SHA1

      fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

      SHA256

      78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

      SHA512

      74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

    • \Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
      MD5

      4474b0449b173664ec17a6f98e15b728

      SHA1

      fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

      SHA256

      78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

      SHA512

      74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

    • memory/108-74-0x0000000074281000-0x0000000074283000-memory.dmp
      Filesize

      8KB

    • memory/108-73-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

    • memory/108-69-0x0000000000000000-mapping.dmp
    • memory/556-55-0x0000000075491000-0x0000000075493000-memory.dmp
      Filesize

      8KB

    • memory/556-62-0x0000000000400000-0x00000000004F8000-memory.dmp
      Filesize

      992KB

    • memory/568-72-0x0000000000400000-0x00000000004F8000-memory.dmp
      Filesize

      992KB

    • memory/568-64-0x0000000000000000-mapping.dmp
    • memory/764-63-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

    • memory/764-59-0x0000000000000000-mapping.dmp
    • memory/972-77-0x0000000000000000-mapping.dmp
    • memory/972-83-0x0000000004BD0000-0x0000000009CD0000-memory.dmp
      Filesize

      81.0MB

    • memory/1044-84-0x0000000000000000-mapping.dmp
    • memory/1044-88-0x0000000003610000-0x0000000008710000-memory.dmp
      Filesize

      81.0MB