Overview

overview

10

Static

static

1478aec44d...66.exe

windows7_x64

10

1478aec44d...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    01-02-2022 10:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe

  • Size

    51KB

  • MD5

    914a8a27c511bacea375dbee8d88e165

  • SHA1

    d017bdad365f3ecfda7a0c0936f6ed8c708c413c

  • SHA256

    1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66

  • SHA512

    884418991e70ed09aaa40381888cd3fbe9b739665d515aae055fab8b0bfd239f3a5d647887633ef58d6d1b36a3af3e2269c283d75fe32a68eb0e24d07310818a

Score
10/10
systembcpersistencetrojan

Malware Config

Extracted

Family

systembc

C2

141.255.166.149:4125

5.188.62.165:4125

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Sets service image path in registry 2 TTPs
    persistence
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe
    "C:\Users\Admin\AppData\Local\Temp\1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:3720
  • C:\Windows\System32\WaaSMedicAgent.exe
    C:\Windows\System32\WaaSMedicAgent.exe c3be752d7e8d88db48f32c6dc1c518b9 7cbdRzseKEabK+lMeQUa0A.0.1.0.0.0
    1⤵
    • Modifies data under HKEY_USERS
    PID:3800
  • C:\ProgramData\wupxqix\orrlb.exe
    C:\ProgramData\wupxqix\orrlb.exe start
    1⤵
    • Executes dropped EXE
    PID:488

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\wupxqix\orrlb.exe
    MD5

    914a8a27c511bacea375dbee8d88e165

    SHA1

    d017bdad365f3ecfda7a0c0936f6ed8c708c413c

    SHA256

    1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66

    SHA512

    884418991e70ed09aaa40381888cd3fbe9b739665d515aae055fab8b0bfd239f3a5d647887633ef58d6d1b36a3af3e2269c283d75fe32a68eb0e24d07310818a

    Download Submit
  • C:\ProgramData\wupxqix\orrlb.exe
    MD5

    914a8a27c511bacea375dbee8d88e165

    SHA1

    d017bdad365f3ecfda7a0c0936f6ed8c708c413c

    SHA256

    1478aec44d67217a18fb2b88e9db45b9c15c468f2498f56f09a5d1fef4eafb66

    SHA512

    884418991e70ed09aaa40381888cd3fbe9b739665d515aae055fab8b0bfd239f3a5d647887633ef58d6d1b36a3af3e2269c283d75fe32a68eb0e24d07310818a

    Download Submit
  • memory/488-134-0x00000000005B0000-0x00000000005BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3720-130-0x00000000009A0000-0x00000000009A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3720-131-0x00000000009D0000-0x00000000009DA000-memory.dmp
    Filesize

    40KB

    Download