Overview

overview

10

Static

static

s.exe

windows7_x64

10

s.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    06-02-2022 09:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    s.exe

  • Size

    261KB

  • MD5

    b536287b4579805e670c79ba866c7d46

  • SHA1

    31266436fe5ce008a27d96e729470a75dde1c440

  • SHA256

    1479da55bc8333e46c9923be0e8a57f6597fe4482e263f37581fadb8492eb7c7

  • SHA512

    f4ef6338a30b4b7a4b1b812cc5763c8528cba357d5969a0d07b49df6b3d92644144fdd7ec38ef23a35e84f6c3e0eecf2b5e43b08dc6a5eaaeb7c8390f27ee508

Score
10/10
systembcsuricatatrojan

Malware Config

Extracted

Family

systembc

C2

194.33.45.6:4001

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • suricata: ET MALWARE Win32/SystemBC CnC Checkin

    suricata: ET MALWARE Win32/SystemBC CnC Checkin

    suricata
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\s.exe
    "C:\Users\Admin\AppData\Local\Temp\s.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1512
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {26110206-83F0-4D24-91B7-CAAC9B43F4C1} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\ProgramData\vfovk\prullk.exe
      C:\ProgramData\vfovk\prullk.exe start
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:1572

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\vfovk\prullk.exe
    MD5

    b536287b4579805e670c79ba866c7d46

    SHA1

    31266436fe5ce008a27d96e729470a75dde1c440

    SHA256

    1479da55bc8333e46c9923be0e8a57f6597fe4482e263f37581fadb8492eb7c7

    SHA512

    f4ef6338a30b4b7a4b1b812cc5763c8528cba357d5969a0d07b49df6b3d92644144fdd7ec38ef23a35e84f6c3e0eecf2b5e43b08dc6a5eaaeb7c8390f27ee508

    Download Submit
  • C:\ProgramData\vfovk\prullk.exe
    MD5

    b536287b4579805e670c79ba866c7d46

    SHA1

    31266436fe5ce008a27d96e729470a75dde1c440

    SHA256

    1479da55bc8333e46c9923be0e8a57f6597fe4482e263f37581fadb8492eb7c7

    SHA512

    f4ef6338a30b4b7a4b1b812cc5763c8528cba357d5969a0d07b49df6b3d92644144fdd7ec38ef23a35e84f6c3e0eecf2b5e43b08dc6a5eaaeb7c8390f27ee508

    Download Submit
  • memory/1512-53-0x0000000076001000-0x0000000076003000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1512-54-0x00000000001B0000-0x00000000001B8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1512-55-0x00000000001C0000-0x00000000001C9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1512-56-0x0000000000400000-0x0000000002C25000-memory.dmp
    Filesize

    40.1MB

    Download
  • memory/1572-60-0x0000000000400000-0x0000000002C25000-memory.dmp
    Filesize

    40.1MB

    Download