Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-04-2022 18:01

General

  • Target

    efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe

  • Size

    218KB

  • Sample

    220427-wlz6qsfgh5

  • MD5

    f8a0cd4e6952e95016502054cc56454f

  • SHA1

    7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

  • SHA256

    efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

  • SHA512

    9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures 8

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

    suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query

  • Executes dropped EXE ⋅ 1 IoCs
  • Looks up external IP address via web service ⋅ 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications ⋅ 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in Windows directory ⋅ 2 IoCs
  • Program crash ⋅ 1 IoCs
  • Suspicious behavior: EnumeratesProcesses ⋅ 2 IoCs

Processes 4

  • C:\Users\Admin\AppData\Local\Temp\efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe
    "C:\Users\Admin\AppData\Local\Temp\efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b.exe"
    Drops file in Windows directory
    Suspicious behavior: EnumeratesProcesses
    PID:4068
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 488
      Program crash
      PID:4968
  • C:\ProgramData\xqcnim\bdkir.exe
    C:\ProgramData\xqcnim\bdkir.exe start
    Executes dropped EXE
    PID:2516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4068 -ip 4068
    PID:4128

Network

MITRE ATT&CK Matrix

Collection

    Command and Control

    Credential Access

      Defense Evasion

        Discovery

          Execution

            Exfiltration

              Impact

                Initial Access

                  Lateral Movement

                    Persistence

                      Privilege Escalation

                        Replay Monitor

                        00:00 00:00

                        Downloads

                        • C:\ProgramData\xqcnim\bdkir.exe
                          MD5

                          f8a0cd4e6952e95016502054cc56454f

                          SHA1

                          7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

                          SHA256

                          efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

                          SHA512

                          9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

                        • C:\ProgramData\xqcnim\bdkir.exe
                          MD5

                          f8a0cd4e6952e95016502054cc56454f

                          SHA1

                          7470a9b6949954168867e4f7dcc3b36cd8dbc0f2

                          SHA256

                          efdd541a2725791d17cda91b62e811d61bd367886fa6bb383934014e18f0a43b

                          SHA512

                          9be869b1f257b41950ab6ef6674357714a38b11358354507f0b8b6e50999ffd69154a0734dc51314488bf1eb23263552964d4dcd734e79a62097037d68e13064

                        • memory/2516-135-0x000000000090A000-0x0000000000910000-memory.dmp
                        • memory/2516-136-0x0000000000400000-0x0000000000708000-memory.dmp
                        • memory/4068-130-0x00000000007AE000-0x00000000007B4000-memory.dmp
                        • memory/4068-131-0x0000000000B60000-0x0000000000B69000-memory.dmp
                        • memory/4068-132-0x0000000000400000-0x0000000000708000-memory.dmp