Overview

overview

10

Static

static

00778e3e3f...38.exe

windows7-x64

10

00778e3e3f...38.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    75s
  • max time network
    95s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    21-09-2022 18:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    00778e3e3f4a1557362c2682446b6b38.exe

  • Size

    249KB

  • MD5

    00778e3e3f4a1557362c2682446b6b38

  • SHA1

    1b2d6e4260b487f13021361dbb59b023a6a0cc87

  • SHA256

    873a028cd3d8f457b4f7b8036afbc736466eade13f229b92ae4d9c67815da376

  • SHA512

    1a414bc81ac413ef60827d18b0ad6ada1232624f12d1bb75db95f139f82ba9c4fba580159ab936ed3bca355496844f561a2e124d225aa6a97571cb1ccb0f5dee

  • SSDEEP

    3072:RXMw7t3+kIazg6rLO75fuC55rfcvMCsJnbl3J0KX+fSM/h3BsxkgaBChURb:1x3RI+g6rLOtum3J0RSniga

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

146.70.101.95:4001

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\00778e3e3f4a1557362c2682446b6b38.exe
    "C:\Users\Admin\AppData\Local\Temp\00778e3e3f4a1557362c2682446b6b38.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1388
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {04FA8D7F-2642-463E-9053-A34925692CC1} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\ProgramData\gtue\axeombl.exe
      C:\ProgramData\gtue\axeombl.exe start
      2⤵
      • Executes dropped EXE
      PID:1744

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\gtue\axeombl.exe
    Filesize

    249KB

    MD5

    00778e3e3f4a1557362c2682446b6b38

    SHA1

    1b2d6e4260b487f13021361dbb59b023a6a0cc87

    SHA256

    873a028cd3d8f457b4f7b8036afbc736466eade13f229b92ae4d9c67815da376

    SHA512

    1a414bc81ac413ef60827d18b0ad6ada1232624f12d1bb75db95f139f82ba9c4fba580159ab936ed3bca355496844f561a2e124d225aa6a97571cb1ccb0f5dee

    Download Submit
  • C:\ProgramData\gtue\axeombl.exe
    Filesize

    249KB

    MD5

    00778e3e3f4a1557362c2682446b6b38

    SHA1

    1b2d6e4260b487f13021361dbb59b023a6a0cc87

    SHA256

    873a028cd3d8f457b4f7b8036afbc736466eade13f229b92ae4d9c67815da376

    SHA512

    1a414bc81ac413ef60827d18b0ad6ada1232624f12d1bb75db95f139f82ba9c4fba580159ab936ed3bca355496844f561a2e124d225aa6a97571cb1ccb0f5dee

    Download Submit
  • memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1388-55-0x000000000063E000-0x000000000064E000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1388-56-0x0000000000220000-0x0000000000229000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1388-57-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download
  • memory/1744-59-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-62-0x00000000002EE000-0x00000000002FE000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1744-63-0x0000000000400000-0x0000000000443000-memory.dmp
    Filesize

    268KB

    Download