Overview

overview

10

Static

static

b2fddc79dd...16.exe

windows7_x64

10

b2fddc79dd...16.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    140s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18-04-2022 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe

  • Size

    89KB

  • MD5

    ef794afbd770b7ee3c8a9ccffb9810fe

  • SHA1

    1bc62eeef9f672fbde7df2de77b15b25dbc87610

  • SHA256

    b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816

  • SHA512

    bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

23hfdne.com:4035

23hfdne.xyz:4035

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe
    "C:\Users\Admin\AppData\Local\Temp\b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1720
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {BF5D225C-087D-4604-851F-43FDAC6B4977} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\ProgramData\nndor\sdixqkl.exe
      C:\ProgramData\nndor\sdixqkl.exe start
      2⤵
      • Executes dropped EXE
      PID:1636

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\nndor\sdixqkl.exe
    Filesize

    89KB

    MD5

    ef794afbd770b7ee3c8a9ccffb9810fe

    SHA1

    1bc62eeef9f672fbde7df2de77b15b25dbc87610

    SHA256

    b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816

    SHA512

    bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d

    Download Submit
  • C:\ProgramData\nndor\sdixqkl.exe
    Filesize

    89KB

    MD5

    ef794afbd770b7ee3c8a9ccffb9810fe

    SHA1

    1bc62eeef9f672fbde7df2de77b15b25dbc87610

    SHA256

    b2fddc79dd5fbe683e9b8737304494e5b5ebf993382714f3a27c045cb3d7f816

    SHA512

    bc2539be88630e38ebbf27ee603c666815be68f3a45a0b8c04e2df59c77fba094f71f5e1f40789ac558201e7a183b63a379526848cfb35ea724464ee3436d47d

    Download Submit
  • memory/1636-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1636-62-0x00000000005CB000-0x00000000005D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1636-64-0x00000000005CB000-0x00000000005D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1636-65-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download
  • memory/1720-54-0x00000000006CB000-0x00000000006D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1720-55-0x0000000075711000-0x0000000075713000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1720-56-0x00000000006CB000-0x00000000006D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1720-57-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1720-58-0x0000000000400000-0x00000000004D1000-memory.dmp
    Filesize

    836KB

    Download