General
Target

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

Filesize

87KB

Completed

27-04-2022 20:48

Task

behavioral2

Score
10/10
MD5

6852984ac451a05e24c746a7beae2f7e

SHA1

647d364e9c10453271d21d4de892ccdbc1ec938e

SHA256

da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

SHA256

c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

Malware Config

Extracted

Family

systembc

C2

asdasd08.com:4039

asdasd08.xyz:4039

Signatures 8

Filter: none

Command and Control
  • SystemBC

    Description

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    Description

    suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    Tags

  • Executes dropped EXE
    rihv.exe

    Reported IOCs

    pidprocess
    2612rihv.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    71api.ipify.org
    72api.ipify.org
  • Uses Tor communications

    Description

    Malware can proxy its traffic through Tor for more anonymity.

    TTPs

    Connection Proxy
  • Drops file in Windows directory
    da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Tasks\rihv.jobda1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
    File opened for modificationC:\Windows\Tasks\rihv.jobda1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    40284360WerFault.exeda1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
  • Suspicious behavior: EnumeratesProcesses
    da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

    Reported IOCs

    pidprocess
    4360da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
    4360da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
Processes 5
  • C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
    "C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    PID:4360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 948
      Program crash
      PID:4028
  • C:\ProgramData\wrfhdxg\rihv.exe
    C:\ProgramData\wrfhdxg\rihv.exe start
    Executes dropped EXE
    PID:2612
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4360 -ip 4360
    PID:4636
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    PID:944
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
    Credential Access
      Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\wrfhdxg\rihv.exe

                          MD5

                          6852984ac451a05e24c746a7beae2f7e

                          SHA1

                          647d364e9c10453271d21d4de892ccdbc1ec938e

                          SHA256

                          da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

                          SHA512

                          c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

                        • C:\ProgramData\wrfhdxg\rihv.exe

                          MD5

                          6852984ac451a05e24c746a7beae2f7e

                          SHA1

                          647d364e9c10453271d21d4de892ccdbc1ec938e

                          SHA256

                          da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

                          SHA512

                          c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

                        • memory/2612-136-0x0000000000400000-0x0000000002FA1000-memory.dmp

                        • memory/2612-135-0x0000000003082000-0x0000000003089000-memory.dmp

                        • memory/4360-131-0x0000000003200000-0x0000000003209000-memory.dmp

                        • memory/4360-132-0x0000000000400000-0x0000000002FA1000-memory.dmp

                        • memory/4360-130-0x00000000032B8000-0x00000000032BF000-memory.dmp