General
Target

efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe

Filesize

218KB

Completed

27-04-2022 20:57

Task

behavioral1

Score
10/10
MD5

f8a0cd4e6952e95016502054cc56454f

SHA1

7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

SHA256

efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

SHA256

9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures 8

Filter: none

Command and Control
  • SystemBC

    Description

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    Description

    suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    Tags

  • Executes dropped EXE
    djlviu.exe

    Reported IOCs

    pidprocess
    1352djlviu.exe
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    5api.ipify.org
    6api.ipify.org
    7ip4.seeip.org
    8ip4.seeip.org
  • Uses Tor communications

    Description

    Malware can proxy its traffic through Tor for more anonymity.

    TTPs

    Connection Proxy
  • Drops file in Windows directory
    efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Tasks\djlviu.jobefdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
    File opened for modificationC:\Windows\Tasks\djlviu.jobefdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
  • Suspicious behavior: EnumeratesProcesses
    efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe

    Reported IOCs

    pidprocess
    1796efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
  • Suspicious use of WriteProcessMemory
    taskeng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1956 wrote to memory of 13521956taskeng.exedjlviu.exe
    PID 1956 wrote to memory of 13521956taskeng.exedjlviu.exe
    PID 1956 wrote to memory of 13521956taskeng.exedjlviu.exe
    PID 1956 wrote to memory of 13521956taskeng.exedjlviu.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
    "C:\Users\Admin\AppData\Local\Temp\efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe"
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    PID:1796
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {78D838C6-CEFE-451B-AA36-E0D66E350F17} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1956
    • C:\ProgramData\bbxrevp\djlviu.exe
      C:\ProgramData\bbxrevp\djlviu.exe start
      Executes dropped EXE
      PID:1352
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
    Credential Access
      Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • C:\ProgramData\bbxrevp\djlviu.exe

                          MD5

                          f8a0cd4e6952e95016502054cc56454f

                          SHA1

                          7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

                          SHA256

                          efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

                          SHA512

                          9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

                        • C:\ProgramData\bbxrevp\djlviu.exe

                          MD5

                          f8a0cd4e6952e95016502054cc56454f

                          SHA1

                          7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

                          SHA256

                          efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

                          SHA512

                          9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

                        • memory/1352-62-0x000000000088B000-0x0000000000892000-memory.dmp

                        • memory/1352-63-0x0000000000400000-0x0000000000708000-memory.dmp

                        • memory/1352-59-0x0000000000000000-mapping.dmp

                        • memory/1796-57-0x0000000000400000-0x0000000000708000-memory.dmp

                        • memory/1796-54-0x0000000075951000-0x0000000075953000-memory.dmp

                        • memory/1796-55-0x000000000087C000-0x0000000000882000-memory.dmp

                        • memory/1796-56-0x0000000000220000-0x0000000000229000-memory.dmp