Overview

overview

10

Static

static

e813bbd838...e8.exe

windows7_x64

10

e813bbd838...e8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-04-2022 10:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe

  • Size

    356KB

  • MD5

    c851a0d3a2cb3e759e85d73f48437fe1

  • SHA1

    3210b9c823d8c1d75f2770884abc1c675db8081b

  • SHA256

    e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8

  • SHA512

    a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory 2 IoCs
  • Program crash 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
    "C:\Users\Admin\AppData\Local\Temp\e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:4752
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 496
      2⤵
      • Program crash
      PID:2228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 932
      2⤵
      • Program crash
      PID:1280
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 976
      2⤵
      • Program crash
      PID:100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 504
      2⤵
      • Program crash
      PID:3048
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 4752 -ip 4752
    1⤵
      PID:860
    • C:\ProgramData\tqminjo\vncgkjm.exe
      C:\ProgramData\tqminjo\vncgkjm.exe start
      1⤵
      • Executes dropped EXE
      PID:4588
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 484
        2⤵
        • Program crash
        PID:4116
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 776
        2⤵
        • Program crash
        PID:4496
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 880
        2⤵
        • Program crash
        PID:1944
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4588 -s 864
        2⤵
        • Program crash
        PID:2140
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4588 -ip 4588
      1⤵
        PID:1520
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4588 -ip 4588
        1⤵
          PID:4916
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 4752
          1⤵
            PID:4148
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 4752
            1⤵
              PID:636
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4588 -ip 4588
              1⤵
                PID:1936
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4588 -ip 4588
                1⤵
                  PID:4716
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4752 -ip 4752
                  1⤵
                    PID:4860

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\ProgramData\tqminjo\vncgkjm.exe
                    Filesize

                    356KB

                    MD5

                    c851a0d3a2cb3e759e85d73f48437fe1

                    SHA1

                    3210b9c823d8c1d75f2770884abc1c675db8081b

                    SHA256

                    e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8

                    SHA512

                    a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0

                    Download Submit
                  • C:\ProgramData\tqminjo\vncgkjm.exe
                    Filesize

                    356KB

                    MD5

                    c851a0d3a2cb3e759e85d73f48437fe1

                    SHA1

                    3210b9c823d8c1d75f2770884abc1c675db8081b

                    SHA256

                    e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8

                    SHA512

                    a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0

                    Download Submit
                  • memory/4588-135-0x0000000000D33000-0x0000000000D3A000-memory.dmp
                    Filesize

                    28KB

                    Download
                  • memory/4588-136-0x0000000000CB0000-0x0000000000CB9000-memory.dmp
                    Filesize

                    36KB

                    Download
                  • memory/4588-137-0x0000000000400000-0x0000000000C33000-memory.dmp
                    Filesize

                    8.2MB

                    Download
                  • memory/4752-130-0x0000000000D78000-0x0000000000D7F000-memory.dmp
                    Filesize

                    28KB

                    Download
                  • memory/4752-131-0x0000000002970000-0x0000000002979000-memory.dmp
                    Filesize

                    36KB

                    Download
                  • memory/4752-132-0x0000000000400000-0x0000000000C33000-memory.dmp
                    Filesize

                    8.2MB

                    Download