Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
27-04-2022 17:55
General
-
Target
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe
-
Size
86KB
-
MD5
ee901758b646be29eec10374025e5aea
-
SHA1
5dce870f80a5a97d0a05df73696222b7c2a3d528
-
SHA256
e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6
-
SHA512
9c7b1911e92395e41bd10a5138475063ff7675220fdb10722e35f830e2f132d97a9449dfb61547f7866a3a1a9e6cf3401b29359e982035ebb08345fd0303fc65
Malware Config
Extracted
systembc
advertrex20.xyz:4044
gentexman37.xyz:4044
Signatures
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe"C:\Users\Admin\AppData\Local\Temp\e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {F02F20C0-AE28-4216-8955-7E8D5915779E} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\vvurk\infg.exeC:\ProgramData\vvurk\infg.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\vvurk\infg.exeFilesize
86KB
MD5ee901758b646be29eec10374025e5aea
SHA15dce870f80a5a97d0a05df73696222b7c2a3d528
SHA256e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6
SHA5129c7b1911e92395e41bd10a5138475063ff7675220fdb10722e35f830e2f132d97a9449dfb61547f7866a3a1a9e6cf3401b29359e982035ebb08345fd0303fc65
-
C:\ProgramData\vvurk\infg.exeFilesize
86KB
MD5ee901758b646be29eec10374025e5aea
SHA15dce870f80a5a97d0a05df73696222b7c2a3d528
SHA256e901c09fe8b81cf2a87de97087faf4cafce7287a3784907cb52806ca1cfa20f6
SHA5129c7b1911e92395e41bd10a5138475063ff7675220fdb10722e35f830e2f132d97a9449dfb61547f7866a3a1a9e6cf3401b29359e982035ebb08345fd0303fc65
-
memory/960-59-0x0000000000000000-mapping.dmp
-
memory/960-63-0x0000000000360000-0x0000000000369000-memory.dmpFilesize
36KB
-
memory/960-62-0x00000000030FB000-0x0000000003102000-memory.dmpFilesize
28KB
-
memory/960-64-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB
-
memory/1988-54-0x0000000076781000-0x0000000076783000-memory.dmpFilesize
8KB
-
memory/1988-55-0x000000000026B000-0x0000000000272000-memory.dmpFilesize
28KB
-
memory/1988-56-0x00000000001B0000-0x00000000001B9000-memory.dmpFilesize
36KB
-
memory/1988-57-0x0000000000400000-0x0000000002FA1000-memory.dmpFilesize
43.6MB