Overview

overview

10

Static

static

5350c1492b...4f.exe

windows7_x64

10

5350c1492b...4f.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    03-06-2021 10:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5350c1492b2359b71a31ba103cc19b4f.exe

  • Size

    886KB

  • MD5

    5350c1492b2359b71a31ba103cc19b4f

  • SHA1

    67b81cec1269523057aac6db028b33955bffc735

  • SHA256

    e90fa8b16a3e943baf7882ce978b4903c3012be94370e99eb0560bb8e970d682

  • SHA512

    6d0c70987524b698bf7e8cb78cfa247078810938535ff569dd9691ed6d5e8fbea703bf62180e07e624fda13c732db226d3f2231c48e3c698e5338cfb5f253f80

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

88.198.147.80:4174

78.47.64.46:4174

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Drops file in Windows directory 5 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5350c1492b2359b71a31ba103cc19b4f.exe
    "C:\Users\Admin\AppData\Local\Temp\5350c1492b2359b71a31ba103cc19b4f.exe"
    1⤵
    • Drops file in Windows directory
    PID:1048
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {82CA5EDC-9994-49D9-846A-DED43456FE4B} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\5350c1492b2359b71a31ba103cc19b4f.exe
      C:\Users\Admin\AppData\Local\Temp\5350c1492b2359b71a31ba103cc19b4f.exe start
      2⤵
      • Drops file in Windows directory
      PID:1644
    • C:\Windows\TEMP\nslhh.exe
      C:\Windows\TEMP\nslhh.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:780
    • C:\Windows\TEMP\nslhh.exe
      C:\Windows\TEMP\nslhh.exe start
      2⤵
      • Executes dropped EXE
      PID:612
    • C:\Windows\TEMP\nslhh.exe
      C:\Windows\TEMP\nslhh.exe start
      2⤵
      • Executes dropped EXE
      PID:1576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\TEMP\nslhh.exe
    MD5

    5fc8b735442c0761d95300c3ab2cd3f1

    SHA1

    0c68b66cd251825596f6a9dbcd9cd664401012c8

    SHA256

    36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

    SHA512

    a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

    Download Submit
  • C:\Windows\Tasks\wow64.job
    MD5

    33e5245ea2b5c1f2d1d416f992d38554

    SHA1

    b505483513ceda8864990f13cc6acbc08dfd2cc2

    SHA256

    275e1a20106903a6dd2c4c14fb58cd36eb480b1d2c17ddff9abf57c80e89494e

    SHA512

    1a21a93458ff8fda7e14c4574e5e69b5a8ee9fcab185e1803099af10d5734d5290fc208c46f33f518988d8cf24ac85d03c8f64d4f8a4e251dce6140ec49af018

    Download Submit
  • C:\Windows\Temp\nslhh.exe
    MD5

    5fc8b735442c0761d95300c3ab2cd3f1

    SHA1

    0c68b66cd251825596f6a9dbcd9cd664401012c8

    SHA256

    36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

    SHA512

    a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

    Download Submit
  • C:\Windows\Temp\nslhh.exe
    MD5

    5fc8b735442c0761d95300c3ab2cd3f1

    SHA1

    0c68b66cd251825596f6a9dbcd9cd664401012c8

    SHA256

    36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

    SHA512

    a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

    Download Submit
  • C:\Windows\Temp\nslhh.exe
    MD5

    5fc8b735442c0761d95300c3ab2cd3f1

    SHA1

    0c68b66cd251825596f6a9dbcd9cd664401012c8

    SHA256

    36373b5af4c8b64bff18ae7d2079da5b3cfb6371def687327d9487adb0de345d

    SHA512

    a49c999e918a1a68ef64bb4ea3d57c4be1a3e1a35ebb4fb603291dc78b45a408202bd40d95b0adb382ae82fffb30d5ce7ffec11db4b108199d62c77d3b6fe797

    Download Submit
  • memory/612-79-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/612-81-0x0000000000400000-0x00000000004E2000-memory.dmp
    Filesize

    904KB

    Download
  • memory/612-76-0x0000000000000000-mapping.dmp
    Download
  • memory/780-75-0x0000000000400000-0x00000000004E2000-memory.dmp
    Filesize

    904KB

    Download
  • memory/780-69-0x0000000000000000-mapping.dmp
    Download
  • memory/1048-59-0x0000000075721000-0x0000000075723000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1048-62-0x0000000000400000-0x00000000004E2000-memory.dmp
    Filesize

    904KB

    Download
  • memory/1048-60-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1048-61-0x0000000000260000-0x0000000000265000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1576-82-0x0000000000000000-mapping.dmp
    Download
  • memory/1576-85-0x00000000002F0000-0x00000000002F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1576-87-0x0000000000400000-0x00000000004E2000-memory.dmp
    Filesize

    904KB

    Download
  • memory/1644-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1644-65-0x00000000002F0000-0x00000000002F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1644-67-0x0000000000400000-0x00000000004E2000-memory.dmp
    Filesize

    904KB

    Download