Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
19-11-2021 20:47
Static task
static1
Behavioral task
behavioral1
Sample
3.exe
Resource
win7-en-20211104
General
-
Target
3.exe
-
Size
8.5MB
-
MD5
3fe5131654f0ca2a014bcf10e7cc56b5
-
SHA1
02dc19c144158b2cc776070ed059d282438c79c2
-
SHA256
b14bc0169039b8ed857f2cd4e6e3a9dc688227491cde1d2f25f2cf18679a994e
-
SHA512
5db3ff8f12d90ea34fdad46d12d01c6c1c0ce93e8c0b3868e913ec457f689589afe15c300de310ba030335d66006c9376da9393c749ec9b0b508b64ef980106b
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
3.tmp3.tmpsnmpmanager.exesnmpmanager.exepid process 4336 3.tmp 3964 3.tmp 4540 snmpmanager.exe 588 snmpmanager.exe -
Loads dropped DLL 2 IoCs
Processes:
snmpmanager.exesnmpmanager.exepid process 4540 snmpmanager.exe 588 snmpmanager.exe -
Drops file in Windows directory 2 IoCs
Processes:
snmpmanager.exedescription ioc process File created C:\Windows\Tasks\wow64.job snmpmanager.exe File opened for modification C:\Windows\Tasks\wow64.job snmpmanager.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\pwt pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 11 IoCs
Processes:
snmpmanager.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0 snmpmanager.exe Set value (data) \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = d0cba838d92eec118001444553540000 snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstances snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties snmpmanager.exe Key created \REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties snmpmanager.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
3.tmppid process 3964 3.tmp 3964 3.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
3.tmppid process 3964 3.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
snmpmanager.exesnmpmanager.exepid process 4540 snmpmanager.exe 588 snmpmanager.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3.exe3.tmp3.exe3.tmpdescription pid process target process PID 4380 wrote to memory of 4336 4380 3.exe 3.tmp PID 4380 wrote to memory of 4336 4380 3.exe 3.tmp PID 4380 wrote to memory of 4336 4380 3.exe 3.tmp PID 4336 wrote to memory of 3688 4336 3.tmp 3.exe PID 4336 wrote to memory of 3688 4336 3.tmp 3.exe PID 4336 wrote to memory of 3688 4336 3.tmp 3.exe PID 3688 wrote to memory of 3964 3688 3.exe 3.tmp PID 3688 wrote to memory of 3964 3688 3.exe 3.tmp PID 3688 wrote to memory of 3964 3688 3.exe 3.tmp PID 3964 wrote to memory of 4540 3964 3.tmp snmpmanager.exe PID 3964 wrote to memory of 4540 3964 3.tmp snmpmanager.exe PID 3964 wrote to memory of 4540 3964 3.tmp snmpmanager.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-B1Q40.tmp\3.tmp"C:\Users\Admin\AppData\Local\Temp\is-B1Q40.tmp\3.tmp" /SL5="$3013A,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-GT6M4.tmp\3.tmp"C:\Users\Admin\AppData\Local\Temp\is-GT6M4.tmp\3.tmp" /SL5="$4013A,8044643,961536,C:\Users\Admin\AppData\Local\Temp\3.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe"C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exe" start1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-B1Q40.tmp\3.tmpMD5
30aeaad15ad87b79ca3d66cfab0b3ff3
SHA1ff465eb67fbf9c2575bebcd0e7ece94d2c90560d
SHA256d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a
SHA512825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11
-
C:\Users\Admin\AppData\Local\Temp\is-GT6M4.tmp\3.tmpMD5
30aeaad15ad87b79ca3d66cfab0b3ff3
SHA1ff465eb67fbf9c2575bebcd0e7ece94d2c90560d
SHA256d18a5837ea79960544036af2b097db258391a1b8483fa687a245859e9b4c2c1a
SHA512825847455cfc46071ddadebdd20f67cde32e11f0b95aa7e47bfdbd77e446e8644b05b0bd4f4ac61cf5c9bf9242a0fdbe629cddd05897270b4f67cdbb05cc0c11
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\pwtMD5
b96c921864afb25455285860307a47ac
SHA185555837a8299bfe5d75b8269ef8d98daa9c132a
SHA256677bc795baac677dcf6760d1f6fadcf191995c137bf583e695ac0b6ba112828d
SHA51290bb66eeeb5400b55549e1bf7ee98c07f65818cd038fe9c4858fd6cfba0ab0ae31529388a933d93c2c28642f3b4916d124e4812a5e6f147be1d24660d092707a
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
C:\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\snmpmanager.exeMD5
4474b0449b173664ec17a6f98e15b728
SHA1fd28d5b82a071ce7a8efb1eb01d92d350c870cb8
SHA25678280609ea601c9eda80574e87ba91db440260f0e95148db35044af23371d02f
SHA51274f39c88bd45277e6d961b3733e2a11f513dcc2c32a02057b6895451226bfa16d5be620559de7461e5236a6e05e53cfa245a2a0575893c12661e589426e93a5b
-
\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
\Users\Admin\AppData\Roaming\IIS Site365 Standard Edition\libmtm3.dllMD5
3e90cf9f12da95d5c248d6f51ed2cc81
SHA19faeefaaa6e049f64a3dae4f11fa1e657b6a02e3
SHA2568434be24df031b2c903bacdd36f4f769728a249b2253713d4c0ac3e5a04d6734
SHA512925ee45e4adc44a4dbce05eb22b0aefeebad68a5eb6f12f780d7e3324c5f3b8d382c2e3ac6cbc368f13acb14f44e792e2671d669f0ffc9940ef0e1e637249a9c
-
memory/588-137-0x00000000036F0000-0x00000000087F0000-memory.dmpFilesize
81.0MB
-
memory/3688-121-0x0000000000000000-mapping.dmp
-
memory/3688-126-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/3964-127-0x0000000000790000-0x0000000000791000-memory.dmpFilesize
4KB
-
memory/3964-124-0x0000000000000000-mapping.dmp
-
memory/4336-120-0x0000000000740000-0x00000000007EE000-memory.dmpFilesize
696KB
-
memory/4336-118-0x0000000000000000-mapping.dmp
-
memory/4380-117-0x0000000000400000-0x00000000004F8000-memory.dmpFilesize
992KB
-
memory/4540-128-0x0000000000000000-mapping.dmp
-
memory/4540-134-0x0000000004B80000-0x0000000009C80000-memory.dmpFilesize
81.0MB