General
Target

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

Filesize

87KB

Completed

27-04-2022 20:48

Task

behavioral1

Score
10/10
MD5

6852984ac451a05e24c746a7beae2f7e

SHA1

647d364e9c10453271d21d4de892ccdbc1ec938e

SHA256

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

SHA256

c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

Malware Config

Extracted

Family

systembc

C2

asdasd08.com:4039

asdasd08.xyz:4039

Signatures 8

Filter: none

Command and Control
  • SystemBC

    Description

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    Description

    suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    Tags

  • Executes dropped EXE
    eeposr.exe

    Reported IOCs

    pidprocess
    852eeposr.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    4api.ipify.org
    5api.ipify.org
    6ip4.seeip.org
    7ip4.seeip.org
  • Uses Tor communications

    Description

    Malware can proxy its traffic through Tor for more anonymity.

    TTPs

    Connection Proxy
  • Drops file in Windows directory
    da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Tasks\eeposr.jobda1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
    File opened for modificationC:\Windows\Tasks\eeposr.jobda1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
  • Suspicious behavior: EnumeratesProcesses
    da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

    Reported IOCs

    pidprocess
    1948da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
  • Suspicious use of WriteProcessMemory
    taskeng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1488 wrote to memory of 8521488taskeng.exeeeposr.exe
    PID 1488 wrote to memory of 8521488taskeng.exeeeposr.exe
    PID 1488 wrote to memory of 8521488taskeng.exeeeposr.exe
    PID 1488 wrote to memory of 8521488taskeng.exeeeposr.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
    "C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    PID:1948
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {C294F48A-372D-4401-BEF0-1B656F7C7BB5} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1488
    • C:\ProgramData\rhjnko\eeposr.exe
      C:\ProgramData\rhjnko\eeposr.exe start
      Executes dropped EXE
      PID:852
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
    Credential Access
      Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\rhjnko\eeposr.exe

                          MD5

                          6852984ac451a05e24c746a7beae2f7e

                          SHA1

                          647d364e9c10453271d21d4de892ccdbc1ec938e

                          SHA256

                          da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

                          SHA512

                          c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

                        • C:\ProgramData\rhjnko\eeposr.exe

                          MD5

                          6852984ac451a05e24c746a7beae2f7e

                          SHA1

                          647d364e9c10453271d21d4de892ccdbc1ec938e

                          SHA256

                          da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

                          SHA512

                          c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

                        • memory/852-62-0x00000000030DB000-0x00000000030E2000-memory.dmp

                        • memory/852-63-0x0000000000400000-0x0000000002FA1000-memory.dmp

                        • memory/852-59-0x0000000000000000-mapping.dmp

                        • memory/1948-57-0x0000000000400000-0x0000000002FA1000-memory.dmp

                        • memory/1948-54-0x0000000076571000-0x0000000076573000-memory.dmp

                        • memory/1948-56-0x0000000000230000-0x0000000000239000-memory.dmp

                        • memory/1948-55-0x000000000317B000-0x0000000003182000-memory.dmp