Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

module_e5_...c6.exe

windows7_x64

10

module_e5_...c6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    107s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    10/03/2022, 23:24 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    module_e5_538_ae3f6af06a02781e995650761b3a82c6.exe

  • Size

    1.4MB

  • MD5

    ae3f6af06a02781e995650761b3a82c6

  • SHA1

    ded2009c9a5645c7582b4d1e9bc2e7133689a774

  • SHA256

    c926338972be5bdfdd89574f3dc2fe4d4f70fd4e24c1c6ac5d2439c7fcc50db5

  • SHA512

    31c1009b7b658645b3371c8a7ee6e6953a50b42e529ee69365742b0f7deea1fcc90adf90e6b1522fff998a232a6abef8139003698da0b15856923ad202e4602f

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

96.30.196.207:4177

45.32.132.182:4177

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Drops file in Windows directory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\module_e5_538_ae3f6af06a02781e995650761b3a82c6.exe
    "C:\Users\Admin\AppData\Local\Temp\module_e5_538_ae3f6af06a02781e995650761b3a82c6.exe"
    1⤵
    • Drops file in Windows directory
    PID:2648
  • C:\Users\Admin\AppData\Local\Temp\module_e5_538_ae3f6af06a02781e995650761b3a82c6.exe
    C:\Users\Admin\AppData\Local\Temp\module_e5_538_ae3f6af06a02781e995650761b3a82c6.exe start
    1⤵
      PID:2816

    Network

    • flag-us
      DNS
      geo.prod.do.dsp.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      geo.prod.do.dsp.mp.microsoft.com
      IN A
      Response
      geo.prod.do.dsp.mp.microsoft.com
      IN CNAME
      geo.prod.do.dsp.trafficmanager.net
      geo.prod.do.dsp.trafficmanager.net
      IN CNAME
      array610.prod.do.dsp.mp.microsoft.com
      array610.prod.do.dsp.mp.microsoft.com
      IN A
      20.54.24.69
    • flag-us
      DNS
      kv801.prod.do.dsp.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      kv801.prod.do.dsp.mp.microsoft.com
      IN A
      Response
      kv801.prod.do.dsp.mp.microsoft.com
      IN CNAME
      kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
      kv801.prod.do.dsp.mp.microsoft.com.edgekey.net
      IN CNAME
      e12437.g.akamaiedge.net
      e12437.g.akamaiedge.net
      IN A
      184.29.205.60
    • flag-nl
      GET
      https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=IE&profile=256&CacheId=7
      Remote address:
      184.29.205.60:443
      Request
      GET /all?doClientVersion=10.0.19041.1266&countryCode=IE&profile=256&CacheId=7 HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Microsoft-Delivery-Optimization/10.0
      MS-CV: 7Nb901JnQUWOy5Ul.2.1.1
      Content-Length: 0
      Host: kv801.prod.do.dsp.mp.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Type: text/json
      Server: Microsoft-IIS/10.0
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      Vary: Accept-Encoding
      Content-Encoding: gzip
      Content-Length: 808
      Cache-Control: max-age=284
      Date: Thu, 10 Mar 2022 23:25:21 GMT
      Connection: keep-alive
    • flag-us
      DNS
      cp801.prod.do.dsp.mp.microsoft.com
      Remote address:
      8.8.8.8:53
      Request
      cp801.prod.do.dsp.mp.microsoft.com
      IN A
      Response
      cp801.prod.do.dsp.mp.microsoft.com
      IN CNAME
      cp801.prod.do.dsp.mp.microsoft.com.edgekey.net
      cp801.prod.do.dsp.mp.microsoft.com.edgekey.net
      IN CNAME
      e12437.g.akamaiedge.net
      e12437.g.akamaiedge.net
      IN A
      184.29.205.60
    • flag-nl
      GET
      https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7
      Remote address:
      184.29.205.60:443
      Request
      GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7 HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Microsoft-Delivery-Optimization/10.0
      MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.1.1.1
      Content-Length: 0
      Host: cp801.prod.do.dsp.mp.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Type: text/json
      Server: Microsoft-IIS/10.0
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      Vary: Accept-Encoding
      Content-Encoding: gzip
      Content-Length: 368
      Cache-Control: max-age=32865
      Date: Thu, 10 Mar 2022 23:25:21 GMT
      Connection: keep-alive
    • flag-nl
      GET
      https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7
      Remote address:
      184.29.205.60:443
      Request
      GET /v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7 HTTP/1.1
      Connection: Keep-Alive
      Accept: */*
      Accept-Encoding: gzip, deflate
      User-Agent: Microsoft-Delivery-Optimization/10.0
      MS-CV: fGaNESRY70uPCuTNchFYQw.0.2.8.2.1.1
      Content-Length: 0
      Host: cp801.prod.do.dsp.mp.microsoft.com
      Response
      HTTP/1.1 200 OK
      Content-Type: text/json
      Server: Microsoft-IIS/10.0
      X-AspNet-Version: 4.0.30319
      X-Powered-By: ASP.NET
      Vary: Accept-Encoding
      Content-Encoding: gzip
      Content-Length: 368
      Cache-Control: max-age=32865
      Date: Thu, 10 Mar 2022 23:25:21 GMT
      Connection: keep-alive
    • 87.248.202.1:80
      40 B
       1
    • 93.184.220.29:80
      46 B
       40 B
       1
      1
    • 93.184.221.240:80
      46 B
       40 B
       1
      1
    • 93.184.220.29:80
      46 B
       40 B
       1
      1
    • 104.80.224.57:443
      322 B
       7
    • 93.184.220.29:80
      322 B
       7
    • 93.184.220.29:80
      46 B
       40 B
       1
      1
    • 20.189.173.5:443
      40 B
       1
    • 20.54.24.69:443
      geo.prod.do.dsp.mp.microsoft.com
      tls, https
      1.2kB
       3.5kB
       12
      9
    • 184.29.205.60:443
      https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=IE&profile=256&CacheId=7
      tls, http
      1.2kB
       7.8kB
       11
      13

      HTTP Request

      GET https://kv801.prod.do.dsp.mp.microsoft.com/all?doClientVersion=10.0.19041.1266&countryCode=IE&profile=256&CacheId=7

      HTTP Response

      200
    • 184.29.205.60:443
      https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7
      tls, http
      1.4kB
       7.3kB
       11
      13

      HTTP Request

      GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7

      HTTP Response

      200
    • 184.29.205.60:443
      https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7
      tls, http
      1.4kB
       7.3kB
       11
      13

      HTTP Request

      GET https://cp801.prod.do.dsp.mp.microsoft.com/v3/content?Id=aqNSTVn6Z-S11CUPqJBC6j-rNd-FvNcwi4vtViIWIhg%253D&doClientVersion=10.0.19041.1266&altCatalogId=http%3A%2F%2Fmsedge.b.tlu.dl.delivery.mp.microsoft.com%2Ffilestreamingservice%2Ffiles%2F1f45075c-2899-44e9-9bd8-03649da92f34&countryCode=IE&profile=256&CacheId=7

      HTTP Response

      200
    • 96.30.196.207:4177
      module_e5_538_ae3f6af06a02781e995650761b3a82c6.exe
      290 B
       133 B
       4
      3
    • 204.79.197.200:443
      40 B
       1
    • 204.79.197.200:443
      40 B
       1
    • 8.8.8.8:53
      geo.prod.do.dsp.mp.microsoft.com
      dns
      78 B
       165 B
       1
      1

      DNS Request

      geo.prod.do.dsp.mp.microsoft.com

      DNS Response

      20.54.24.69

    • 8.8.8.8:53
      kv801.prod.do.dsp.mp.microsoft.com
      dns
      80 B
       190 B
       1
      1

      DNS Request

      kv801.prod.do.dsp.mp.microsoft.com

      DNS Response

      184.29.205.60

    • 8.8.8.8:53
      cp801.prod.do.dsp.mp.microsoft.com
      dns
      80 B
       190 B
       1
      1

      DNS Request

      cp801.prod.do.dsp.mp.microsoft.com

      DNS Response

      184.29.205.60

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2648-130-0x00000000022F0000-0x00000000022F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2648-131-0x0000000002450000-0x0000000002455000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2648-132-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2816-133-0x0000000000610000-0x0000000000611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2816-134-0x0000000000400000-0x0000000000568000-memory.dmp

      Filesize

      1.4MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.