Resubmissions
18-04-2024 05:25
240418-f4hreadf5z 1018-04-2024 05:25
240418-f4fl2scd33 1018-04-2024 05:25
240418-f4fbaadf5v 1018-04-2024 05:25
240418-f4edzscd32 1018-04-2024 05:25
240418-f4dsfscd29 10Analysis
-
max time kernel
149s -
max time network
168s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 23:21
General
-
Target
fdc98ea3381d04350e38b592c2c63090d6f0bd32388a21fcfc5b7bfcb9753d20.exe
-
Size
121KB
-
MD5
2140899e877c2bb95f71f77c31e205ce
-
SHA1
b7322db66f0c4b5a48c10ca3213b899131045d11
-
SHA256
fdc98ea3381d04350e38b592c2c63090d6f0bd32388a21fcfc5b7bfcb9753d20
-
SHA512
6856af4f8cb1fceede24360c7e081e6beea701a44b80e6276db719e5cba3b6cf5f7fae8df4ce56852ea34e73dfa4e091a8ac258d1efb596e0d7224b33402fe07
Malware Config
Extracted
systembc
sdadvert197.com:4044
mexstat128.com:4044
Signatures
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
-
Executes dropped EXE 1 IoCs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdc98ea3381d04350e38b592c2c63090d6f0bd32388a21fcfc5b7bfcb9753d20.exe"C:\Users\Admin\AppData\Local\Temp\fdc98ea3381d04350e38b592c2c63090d6f0bd32388a21fcfc5b7bfcb9753d20.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {58041107-F218-4969-9751-9F4ADD88957A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\luifqi\wklm.exeC:\ProgramData\luifqi\wklm.exe start2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\luifqi\wklm.exeFilesize
121KB
MD52140899e877c2bb95f71f77c31e205ce
SHA1b7322db66f0c4b5a48c10ca3213b899131045d11
SHA256fdc98ea3381d04350e38b592c2c63090d6f0bd32388a21fcfc5b7bfcb9753d20
SHA5126856af4f8cb1fceede24360c7e081e6beea701a44b80e6276db719e5cba3b6cf5f7fae8df4ce56852ea34e73dfa4e091a8ac258d1efb596e0d7224b33402fe07
-
C:\ProgramData\luifqi\wklm.exeFilesize
121KB
MD52140899e877c2bb95f71f77c31e205ce
SHA1b7322db66f0c4b5a48c10ca3213b899131045d11
SHA256fdc98ea3381d04350e38b592c2c63090d6f0bd32388a21fcfc5b7bfcb9753d20
SHA5126856af4f8cb1fceede24360c7e081e6beea701a44b80e6276db719e5cba3b6cf5f7fae8df4ce56852ea34e73dfa4e091a8ac258d1efb596e0d7224b33402fe07
-
memory/1660-54-0x000000000336B000-0x0000000003372000-memory.dmpFilesize
28KB
-
memory/1660-55-0x0000000000230000-0x0000000000239000-memory.dmpFilesize
36KB
-
memory/1660-56-0x0000000075F21000-0x0000000075F23000-memory.dmpFilesize
8KB
-
memory/1660-57-0x0000000000400000-0x00000000031D1000-memory.dmpFilesize
45.8MB
-
memory/1796-59-0x0000000000000000-mapping.dmp
-
memory/1796-63-0x00000000002F0000-0x00000000002F9000-memory.dmpFilesize
36KB
-
memory/1796-62-0x00000000033BB000-0x00000000033C2000-memory.dmpFilesize
28KB
-
memory/1796-64-0x0000000000400000-0x00000000031D1000-memory.dmpFilesize
45.8MB