Analysis
-
max time kernel
154s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
03-02-2022 08:53
General
-
Target
c28c72944827aecc6e64211f91d082cd.exe
-
Size
2.0MB
-
MD5
c28c72944827aecc6e64211f91d082cd
-
SHA1
478e292f63cacdc9d43e095ce5ef7a3accb68cde
-
SHA256
4f8fd85bcb3dbb5d82d3194a2ac9742a8f0696685b69d425b1384d29e2260bf3
-
SHA512
d314b1b5ae22e8b75bb541adaba41f2f8d78bef3ee9274bb09336bc31a7ced83d9331525ebe519a02aebe6f7934ce85dd41fce1ca28cbdfa0bb7e123336573a7
Score
10/10
Malware Config
Signatures
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c28c72944827aecc6e64211f91d082cd.exe"C:\Users\Admin\AppData\Local\Temp\c28c72944827aecc6e64211f91d082cd.exe"1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {F6E6334B-1286-4419-A2C7-8595D9BFDF1A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c28c72944827aecc6e64211f91d082cd.exeC:\Users\Admin\AppData\Local\Temp\c28c72944827aecc6e64211f91d082cd.exe start2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1140-69-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1140-81-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1140-82-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1140-80-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1140-79-0x0000000000260000-0x00000000002A6000-memory.dmpFilesize
280KB
-
memory/1140-77-0x0000000077420000-0x000000007757C000-memory.dmpFilesize
1.4MB
-
memory/1140-72-0x0000000075E70000-0x0000000075EA5000-memory.dmpFilesize
212KB
-
memory/1140-75-0x0000000075980000-0x00000000759C7000-memory.dmpFilesize
284KB
-
memory/1140-73-0x0000000077370000-0x000000007741C000-memory.dmpFilesize
688KB
-
memory/1140-71-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1584-60-0x0000000000240000-0x0000000000241000-memory.dmpFilesize
4KB
-
memory/1584-68-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1584-67-0x0000000000401000-0x0000000000404000-memory.dmpFilesize
12KB
-
memory/1584-66-0x0000000077420000-0x000000007757C000-memory.dmpFilesize
1.4MB
-
memory/1584-64-0x0000000075980000-0x00000000759C7000-memory.dmpFilesize
284KB
-
memory/1584-62-0x0000000077370000-0x000000007741C000-memory.dmpFilesize
688KB
-
memory/1584-61-0x0000000075E70000-0x0000000075EA5000-memory.dmpFilesize
212KB
-
memory/1584-55-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1584-59-0x0000000076511000-0x0000000076513000-memory.dmpFilesize
8KB
-
memory/1584-57-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1584-58-0x0000000000400000-0x0000000000803000-memory.dmpFilesize
4.0MB
-
memory/1584-56-0x00000000002A0000-0x00000000002E6000-memory.dmpFilesize
280KB