Overview

overview

10

Static

static

90e911af29...3d.exe

windows7_x64

10

90e911af29...3d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    15-04-2022 08:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe

  • Size

    85KB

  • MD5

    281ab6111ab22e0e725a98e5496e7ce5

  • SHA1

    d9f0476d385901285953b8ed0a8fbcbcdfba7da3

  • SHA256

    90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d

  • SHA512

    35c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe
    "C:\Users\Admin\AppData\Local\Temp\90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1804
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 952
      2⤵
      • Program crash
      PID:812
  • C:\ProgramData\fdmb\thfm.exe
    C:\ProgramData\fdmb\thfm.exe start
    1⤵
    • Executes dropped EXE
    PID:1600
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 1804 -ip 1804
    1⤵
      PID:3200

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\fdmb\thfm.exe
      Filesize

      85KB

      MD5

      281ab6111ab22e0e725a98e5496e7ce5

      SHA1

      d9f0476d385901285953b8ed0a8fbcbcdfba7da3

      SHA256

      90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d

      SHA512

      35c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f

      Download Submit
    • C:\ProgramData\fdmb\thfm.exe
      Filesize

      85KB

      MD5

      281ab6111ab22e0e725a98e5496e7ce5

      SHA1

      d9f0476d385901285953b8ed0a8fbcbcdfba7da3

      SHA256

      90e911af297498fdfd40e24a9b33e106b082c9e4a00caf2a7f341da9b044b43d

      SHA512

      35c4f4b605476ee96270cc75897bc666c78d11f68107c25d1f3803bcd66ff2fff11388b51ff8cb1ffb12834ac3ed338ce2b3a0c911b67642cc77515eab6c300f

      Download Submit
    • memory/1600-136-0x00000000007B3000-0x00000000007B9000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1600-137-0x00000000007B3000-0x00000000007B9000-memory.dmp
      Filesize

      24KB

      Download
    • memory/1600-138-0x00000000005B0000-0x00000000005B9000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1600-139-0x0000000000400000-0x000000000046C000-memory.dmp
      Filesize

      432KB

      Download
    • memory/1804-130-0x00000000005D8000-0x00000000005DF000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1804-131-0x00000000005D8000-0x00000000005DF000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1804-132-0x0000000002060000-0x0000000002069000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1804-133-0x0000000000400000-0x000000000046C000-memory.dmp
      Filesize

      432KB

      Download