Overview

overview

10

Static

static

67473fb1c8...f7.exe

windows7_x64

10

67473fb1c8...f7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    18-04-2022 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe

  • Size

    381KB

  • MD5

    8be0b78e7331f8376298b9c1f22dd340

  • SHA1

    8af6cfecea6e51d6e92fb7a0b15b095c2cb2475e

  • SHA256

    67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7

  • SHA512

    f6cca3801b883d971bc4af10dbccb1f018084a18c8f71dd5bb14610aacffdda18057340dd4e88e49d681f6f91141b562a9fb8162c994f3ef6fc45207f65af9f8

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe
    "C:\Users\Admin\AppData\Local\Temp\67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:660
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {0D03EF73-F1F6-41E5-8B7A-97BEFA6F7641} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\ProgramData\amean\chredwj.exe
      C:\ProgramData\amean\chredwj.exe start
      2⤵
      • Executes dropped EXE
      PID:952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\amean\chredwj.exe
    Filesize

    381KB

    MD5

    8be0b78e7331f8376298b9c1f22dd340

    SHA1

    8af6cfecea6e51d6e92fb7a0b15b095c2cb2475e

    SHA256

    67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7

    SHA512

    f6cca3801b883d971bc4af10dbccb1f018084a18c8f71dd5bb14610aacffdda18057340dd4e88e49d681f6f91141b562a9fb8162c994f3ef6fc45207f65af9f8

    Download Submit
  • C:\ProgramData\amean\chredwj.exe
    Filesize

    381KB

    MD5

    8be0b78e7331f8376298b9c1f22dd340

    SHA1

    8af6cfecea6e51d6e92fb7a0b15b095c2cb2475e

    SHA256

    67473fb1c8ccc03f6415b2a9d2c20ceaa6ad08c867a15cf69d07ea17cf9c98f7

    SHA512

    f6cca3801b883d971bc4af10dbccb1f018084a18c8f71dd5bb14610aacffdda18057340dd4e88e49d681f6f91141b562a9fb8162c994f3ef6fc45207f65af9f8

    Download Submit
  • memory/660-54-0x00000000027A7000-0x00000000027AE000-memory.dmp
    Filesize

    28KB

    Download
  • memory/660-55-0x0000000075761000-0x0000000075763000-memory.dmp
    Filesize

    8KB

    Download
  • memory/660-57-0x00000000003C0000-0x00000000003C9000-memory.dmp
    Filesize

    36KB

    Download
  • memory/660-56-0x00000000027A7000-0x00000000027AE000-memory.dmp
    Filesize

    28KB

    Download
  • memory/660-58-0x0000000000400000-0x000000000231C000-memory.dmp
    Filesize

    31.1MB

    Download
  • memory/952-60-0x0000000000000000-mapping.dmp
    Download
  • memory/952-62-0x0000000000277000-0x000000000027D000-memory.dmp
    Filesize

    24KB

    Download
  • memory/952-64-0x0000000000277000-0x000000000027D000-memory.dmp
    Filesize

    24KB

    Download
  • memory/952-65-0x0000000000400000-0x000000000231C000-memory.dmp
    Filesize

    31.1MB

    Download