Overview

overview

10

Static

static

d0d3a4d35f...d3.exe

windows7_x64

10

d0d3a4d35f...d3.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18-04-2022 05:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d0d3a4d35f46f3a7ed5ef913b46afdcf80e2ed2a226a20cbec81115454f27dd3.exe

  • Size

    168KB

  • MD5

    2d8166616d74027c23e29f30b41922cb

  • SHA1

    7ab3a4dd77bb7716bf3d7c106e447108796a70b6

  • SHA256

    d0d3a4d35f46f3a7ed5ef913b46afdcf80e2ed2a226a20cbec81115454f27dd3

  • SHA512

    24cfe8f631a2643b4d166bcf41b79839f71df9a1bd52563742c5fb917d4d130f2784848e750b70d1e441e17339b9914ee5dbdd33417a7bab5caae83b0001ec27

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

26asdcgd.com:4039

26asdcgd.xyz:4039

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d0d3a4d35f46f3a7ed5ef913b46afdcf80e2ed2a226a20cbec81115454f27dd3.exe
    "C:\Users\Admin\AppData\Local\Temp\d0d3a4d35f46f3a7ed5ef913b46afdcf80e2ed2a226a20cbec81115454f27dd3.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1948
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F850F36F-0A54-408E-BCB6-449B8EBB45E8} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\ProgramData\mgkpup\ivspau.exe
      C:\ProgramData\mgkpup\ivspau.exe start
      2⤵
      • Executes dropped EXE
      PID:1292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\mgkpup\ivspau.exe
    Filesize

    168KB

    MD5

    2d8166616d74027c23e29f30b41922cb

    SHA1

    7ab3a4dd77bb7716bf3d7c106e447108796a70b6

    SHA256

    d0d3a4d35f46f3a7ed5ef913b46afdcf80e2ed2a226a20cbec81115454f27dd3

    SHA512

    24cfe8f631a2643b4d166bcf41b79839f71df9a1bd52563742c5fb917d4d130f2784848e750b70d1e441e17339b9914ee5dbdd33417a7bab5caae83b0001ec27

    Download Submit
  • C:\ProgramData\mgkpup\ivspau.exe
    Filesize

    168KB

    MD5

    2d8166616d74027c23e29f30b41922cb

    SHA1

    7ab3a4dd77bb7716bf3d7c106e447108796a70b6

    SHA256

    d0d3a4d35f46f3a7ed5ef913b46afdcf80e2ed2a226a20cbec81115454f27dd3

    SHA512

    24cfe8f631a2643b4d166bcf41b79839f71df9a1bd52563742c5fb917d4d130f2784848e750b70d1e441e17339b9914ee5dbdd33417a7bab5caae83b0001ec27

    Download Submit
  • memory/1292-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1292-62-0x00000000006CB000-0x00000000006D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1292-64-0x00000000006CB000-0x00000000006D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1292-65-0x0000000000400000-0x00000000004E4000-memory.dmp
    Filesize

    912KB

    Download
  • memory/1948-54-0x00000000005CB000-0x00000000005D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1948-55-0x00000000754A1000-0x00000000754A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-56-0x00000000005CB000-0x00000000005D2000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1948-57-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1948-58-0x0000000000400000-0x00000000004E4000-memory.dmp
    Filesize

    912KB

    Download