Overview

overview

10

Static

static

5eaf5d22f9...12.exe

windows7_x64

10

5eaf5d22f9...12.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    162s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112.exe

  • Size

    84KB

  • MD5

    e1e6cc20c8ac3d45b335605cb3ebad92

  • SHA1

    60ceafc423200bb22495998aaada0df0b43b3d11

  • SHA256

    5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112

  • SHA512

    0837073758f5453d564fceb91daa70a28381ced357a8d041480b7f44ae9dfc4ff4c161643ac259ef4d69ee967e1a9d340c9d1ec2d76afedbb3e267f788403f18

Score
10/10
systembcpersistencetrojan

Malware Config

Extracted

Family

systembc

C2

31.44.184.201:4081

31.44.184.202:4081

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112.exe
    "C:\Users\Admin\AppData\Local\Temp\5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:408
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe eda6178cf020037f3cf464e9c17f170d zI7tg6i4XkS7qX4zTH8XcA.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:1276
  • C:\ProgramData\ixel\txineim.exe
    C:\ProgramData\ixel\txineim.exe start2
    1⤵
    • Executes dropped EXE
    PID:3428

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\ixel\txineim.exe
    MD5

    e1e6cc20c8ac3d45b335605cb3ebad92

    SHA1

    60ceafc423200bb22495998aaada0df0b43b3d11

    SHA256

    5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112

    SHA512

    0837073758f5453d564fceb91daa70a28381ced357a8d041480b7f44ae9dfc4ff4c161643ac259ef4d69ee967e1a9d340c9d1ec2d76afedbb3e267f788403f18

    Download Submit
  • C:\ProgramData\ixel\txineim.exe
    MD5

    e1e6cc20c8ac3d45b335605cb3ebad92

    SHA1

    60ceafc423200bb22495998aaada0df0b43b3d11

    SHA256

    5eaf5d22f937189275b6fae1257fc682194ca768a91d7b5e897770ad008f7112

    SHA512

    0837073758f5453d564fceb91daa70a28381ced357a8d041480b7f44ae9dfc4ff4c161643ac259ef4d69ee967e1a9d340c9d1ec2d76afedbb3e267f788403f18

    Download Submit
  • memory/408-130-0x0000000000550000-0x0000000000551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/408-131-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download