Analysis
-
max time kernel
129s -
max time network
144s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
19-11-2021 20:47
Static task
static1
Behavioral task
behavioral1
Sample
3.exe
Resource
win7-en-20211104
General
-
Target
3.exe
-
Size
8.5MB
-
MD5
3fe5131654f0ca2a014bcf10e7cc56b5
-
SHA1
02dc19c144158b2cc776070ed059d282438c79c2
-
SHA256
b14bc0169039b8ed857f2cd4e6e3a9dc688227491cde1d2f25f2cf18679a994e
-
SHA512
5db3ff8f12d90ea34fdad46d12d01c6c1c0ce93e8c0b3868e913ec457f689589afe15c300de310ba030335d66006c9376da9393c749ec9b0b508b64ef980106b
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
3.tmp3.tmpsnmpmanager.exesnmpmanager.exepid process 764 3.tmp 108 3.tmp 972 snmpmanager.exe 1044 snmpmanager.exe -
Loads dropped DLL 6 IoCs
Processes:
3.exe3.exe3.tmpsnmpmanager.exesnmpmanager.exepid process 556 3.exe 568 3.exe 108 3.tmp 108 3.tmp 972 snmpmanager.exe 1044 snmpmanager.exe -
Drops file in Windows directory 2 IoCs
Processes:
snmpmanager.exedescription ioc process File created C:\Windows\Tasks\wow64.job snmpmanager.exe File opened for modification C:\Windows\Tasks\wow64.job snmpmanager.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\pwt pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 12 IoCs
Processes:
snmpmanager.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0 snmpmanager.exe Set value (data) \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = d0ac87957949ec118001444553540000 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstances snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration snmpmanager.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3.tmppid process 108 3.tmp 108 3.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3.tmppid process 108 3.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
snmpmanager.exesnmpmanager.exepid process 972 snmpmanager.exe 1044 snmpmanager.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
3.exe3.tmp3.exe3.tmptaskeng.exedescription pid process target process PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 556 wrote to memory of 764 556 3.exe 3.tmp PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 764 wrote to memory of 568 764 3.tmp 3.exe PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 568 wrote to memory of 108 568 3.exe 3.tmp PID 108 wrote to memory of 972 108 3.tmp snmpmanager.exe PID 108 wrote to memory of 972 108 3.tmp snmpmanager.exe PID 108 wrote to memory of 972 108 3.tmp snmpmanager.exe PID 108 wrote to memory of 972 108 3.tmp snmpmanager.exe PID 1340 wrote to memory of 1044 1340 taskeng.exe snmpmanager.exe PID 1340 wrote to memory of 1044 1340 taskeng.exe snmpmanager.exe PID 1340 wrote to memory of 1044 1340 taskeng.exe snmpmanager.exe PID 1340 wrote to memory of 1044 1340 taskeng.exe snmpmanager.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmp"C:\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmp" /SL5="$40118,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmp"C:\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmp" /SL5="$50118,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5401⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {D3F43698-780B-4315-967F-82C045A14327} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe" start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmpMD5
30aeaad15ad87b79ca3d66cfab0b3ff3
SHA1ff465eb67fbf9c2575bebcd0e7ece94d2c90560d
SHA256d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a
SHA512825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11
-
C:\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmpMD5
30aeaad15ad87b79ca3d66cfab0b3ff3
SHA1ff465eb67fbf9c2575bebcd0e7ece94d2c90560d
SHA256d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a
SHA512825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\pwtMD5
b96c921864afb25455285860307a47ac
SHA185555837a8299bfe5d75b8269ef8d98daa9c132a
SHA256677bc795baac677dcf6760d1f6fadcf191995c137bf583e695ac0b6ba112828d
SHA51290bb66eeeb5400b55549e1bf7ee98c07f65818cd038fe9c4858fd6cfba0ab0ae31529388a933d93c2c28642f3b4916d124e4812a5e6f147be1d24660d092707a
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
\Users\Admin\AppData\Local\Temp\is-23N20.tmp\3.tmpMD5
30aeaad15ad87b79ca3d66cfab0b3ff3
SHA1ff465eb67fbf9c2575bebcd0e7ece94d2c90560d
SHA256d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a
SHA512825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11
-
\Users\Admin\AppData\Local\Temp\is-T5OGV.tmp\3.tmpMD5
30aeaad15ad87b79ca3d66cfab0b3ff3
SHA1ff465eb67fbf9c2575bebcd0e7ece94d2c90560d
SHA256d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a
SHA512825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11
-
\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
memory/108-74-0x0000000074281000-0x0000000074283000-memory.dmpFilesize
8KB
-
memory/108-73-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/108-69-0x0000000000000000-mapping.dmp
-
memory/556-55-0x0000000075491000-0x0000000075493000-memory.dmpFilesize
8KB
-
memory/556-62-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/568-72-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/568-64-0x0000000000000000-mapping.dmp
-
memory/764-63-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/764-59-0x0000000000000000-mapping.dmp
-
memory/972-77-0x0000000000000000-mapping.dmp
-
memory/972-83-0x0000000004BD0000-0x0000000009CD0000-memory.dmpFilesize
81.0MB
-
memory/1044-84-0x0000000000000000-mapping.dmp
-
memory/1044-88-0x0000000003610000-0x0000000008710000-memory.dmpFilesize
81.0MB