Analysis

  • max time kernel
    158s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-04-2022 17:55

General

  • Target

    da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe

  • Size

    87KB

  • MD5

    6852984ac451a05e24c746a7beae2f7e

  • SHA1

    647d364e9c10453271d21d4de892ccdbc1ec938e

  • SHA256

    da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

  • SHA512

    c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

Malware Config

Extracted

Family

systembc

C2

asdasd08.com:4039

asdasd08.xyz:4039

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

  • Executes dropped EXE ⋅ 1 IoCs
  • Looks up external IP address via web service ⋅ 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications ⋅ 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory ⋅ 2 IoCs
  • Program crash ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe
    "C:\Users\Admin\AppData\Local\Temp\da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8.exe"
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    PID:4360
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 948
      Program crash
      PID:4028
  • C:\ProgramData\wrfhdxg\rihv.exe
    C:\ProgramData\wrfhdxg\rihv.exe start
    Executes dropped EXE
    PID:2612
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4360 -ip 4360
    PID:4636
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
    PID:944

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

    Credential Access

      Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\ProgramData\wrfhdxg\rihv.exe
                          MD5

                          6852984ac451a05e24c746a7beae2f7e

                          SHA1

                          647d364e9c10453271d21d4de892ccdbc1ec938e

                          SHA256

                          da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

                          SHA512

                          c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

                        • C:\ProgramData\wrfhdxg\rihv.exe
                          MD5

                          6852984ac451a05e24c746a7beae2f7e

                          SHA1

                          647d364e9c10453271d21d4de892ccdbc1ec938e

                          SHA256

                          da1d1f735f97bf6ec7b008e135196afd97fd0f8884ddb7526df6be626453c3c8

                          SHA512

                          c03b55e314da300fd769cac02465b22c0317dfd4c445e6c9c36dd2c68cea7045ceefd872b295772fc6aa3cab6e604a4f170067d3e4ff2295ccd6109b1e735220

                        • memory/2612-135-0x0000000003082000-0x0000000003089000-memory.dmp
                        • memory/2612-136-0x0000000000400000-0x0000000002FA1000-memory.dmp
                        • memory/4360-130-0x00000000032B8000-0x00000000032BF000-memory.dmp
                        • memory/4360-131-0x0000000003200000-0x0000000003209000-memory.dmp
                        • memory/4360-132-0x0000000000400000-0x0000000002FA1000-memory.dmp