Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    19-11-2021 20:47

General

  • Target

    3.exe

  • Size

    8.5MB

  • MD5

    3fe5131654f0ca2a014bcf10e7cc56b5

  • SHA1

    02dc19c144158b2cc776070ed059d282438c79c2

  • SHA256

    b14bc0169039b8ed857f2cd4e6e3a9dc688227491cde1d2f25f2cf18679a994e

  • SHA512

    5db3ff8f12d90ea34fdad46d12d01c6c1c0ce93e8c0b3868e913ec457f689589afe15c300de310ba030335d66006c9376da9393c749ec9b0b508b64ef980106b

Score
10/10

Malware Config

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • HTTP links in PDF interactive object 1 IoCs

    Detects HTTP links in interactive objects within PDF files.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies data under HKEY_USERS 11 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4380
    • C:\Users\Admin\AppData\Local\Temp\is-B1Q40.tmp\3.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B1Q40.tmp\3.tmp" /SL5="$3013A,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4336
      • C:\Users\Admin\AppData\Local\Temp\3.exe
        "C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Users\Admin\AppData\Local\Temp\is-GT6M4.tmp\3.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-GT6M4.tmp\3.tmp" /SL5="$4013A,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3964
          • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
            "C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            PID:4540
  • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
    "C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe" start
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:588

Network

MITRE ATT&CK Matrix ATT&CK v6

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-B1Q40.tmp\3.tmp
    MD5

    30aeaad15ad87b79ca3d66cfab0b3ff3

    SHA1

    ff465eb67fbf9c2575bebcd0e7ece94d2c90560d

    SHA256

    d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a

    SHA512

    825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11

  • C:\Users\Admin\AppData\Local\Temp\is-GT6M4.tmp\3.tmp
    MD5

    30aeaad15ad87b79ca3d66cfab0b3ff3

    SHA1

    ff465eb67fbf9c2575bebcd0e7ece94d2c90560d

    SHA256

    d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a

    SHA512

    825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11

  • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dll
    MD5

    3e90cf9f12da95d5c248d6f51ed2cc81

    SHA1

    9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

    SHA256

    8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

    SHA512

    925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

  • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\pwt
    MD5

    b96c921864afb25455285860307a47ac

    SHA1

    85555837a8299bfe5d75b8269ef8d98daa9c132a

    SHA256

    677bc795baac677dcf6760d1f6fadcf191995c137bf583e695ac0b6ba112828d

    SHA512

    90bb66eeeb5400b55549e1bf7ee98c07f65818cd038fe9c4858fd6cfba0ab0ae31529388a933d93c2c28642f3b4916d124e4812a5e6f147be1d24660d092707a

  • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
    MD5

    4474b0449b173664ec17a6f98e15b728

    SHA1

    fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

    SHA256

    78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

    SHA512

    74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

  • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
    MD5

    4474b0449b173664ec17a6f98e15b728

    SHA1

    fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

    SHA256

    78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

    SHA512

    74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

  • C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe
    MD5

    4474b0449b173664ec17a6f98e15b728

    SHA1

    fd28d5b82a071ce7a8efb1eb01d92d350c870cb8

    SHA256

    78280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f

    SHA512

    74f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b

  • \Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dll
    MD5

    3e90cf9f12da95d5c248d6f51ed2cc81

    SHA1

    9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

    SHA256

    8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

    SHA512

    925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

  • \Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dll
    MD5

    3e90cf9f12da95d5c248d6f51ed2cc81

    SHA1

    9faeefaaa6e049f64a3dae4f11fa1e657b6a02e3

    SHA256

    8434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734

    SHA512

    925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c

  • memory/588-137-0x00000000036F0000-0x00000000087F0000-memory.dmp
    Filesize

    81.0MB

  • memory/3688-121-0x0000000000000000-mapping.dmp
  • memory/3688-126-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

  • memory/3964-127-0x0000000000790000-0x0000000000791000-memory.dmp
    Filesize

    4KB

  • memory/3964-124-0x0000000000000000-mapping.dmp
  • memory/4336-120-0x0000000000740000-0x00000000007EE000-memory.dmp
    Filesize

    696KB

  • memory/4336-118-0x0000000000000000-mapping.dmp
  • memory/4380-117-0x0000000000400000-0x00000000004F8000-memory.dmp
    Filesize

    992KB

  • memory/4540-128-0x0000000000000000-mapping.dmp
  • memory/4540-134-0x0000000004B80000-0x0000000009C80000-memory.dmp
    Filesize

    81.0MB