Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    08-12-2021 14:20

General

  • Target

    25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

  • Size

    148KB

  • MD5

    a6bb96f7c9972db7d27a415742d57a88

  • SHA1

    d8e3c322e66d714db5a947ea0804f112f7971734

  • SHA256

    25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

  • SHA512

    e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Score
10/10

Malware Config

Extracted

Family

systembc

C2

mxblogs19.xyz:4044

sdadvert20.xyz:4044

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
    "C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:2568
  • C:\ProgramData\qdcxw\ooifrs.exe
    C:\ProgramData\qdcxw\ooifrs.exe start
    1⤵
    • Executes dropped EXE
    PID:2476

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\qdcxw\ooifrs.exe

    MD5

    a6bb96f7c9972db7d27a415742d57a88

    SHA1

    d8e3c322e66d714db5a947ea0804f112f7971734

    SHA256

    25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

    SHA512

    e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

  • C:\ProgramData\qdcxw\ooifrs.exe

    MD5

    a6bb96f7c9972db7d27a415742d57a88

    SHA1

    d8e3c322e66d714db5a947ea0804f112f7971734

    SHA256

    25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

    SHA512

    e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

  • memory/2476-123-0x00000000035AD000-0x00000000035B4000-memory.dmp

    Filesize

    28KB

  • memory/2476-124-0x0000000000400000-0x0000000003269000-memory.dmp

    Filesize

    46.4MB

  • memory/2568-118-0x0000000003503000-0x0000000003509000-memory.dmp

    Filesize

    24KB

  • memory/2568-119-0x0000000000030000-0x0000000000039000-memory.dmp

    Filesize

    36KB

  • memory/2568-120-0x0000000000400000-0x0000000003269000-memory.dmp

    Filesize

    46.4MB