Analysis
-
max time kernel
130s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
30-09-2022 15:30
General
-
Target
a4ee9f4729596748dec32a90e27547c0.exe
-
Size
6.1MB
-
MD5
a4ee9f4729596748dec32a90e27547c0
-
SHA1
d8bf8f8e877babd4ee74a63a02e866b8f5e7fd6f
-
SHA256
250e065988da19ed97e3a9ea5c185059688fbe3c9c240f207dc518377ec53ef9
-
SHA512
a09a930fed406e2affdbddc725a48405032a02ef877d1c8a3fe50e9344339955b5b4511c6107e430a13e2d2cbd5c7eb636c9e729f6232c9e6f9fa9b2f3e59631
-
SSDEEP
98304:+Mu3f/jr6blqCtAZhO0oNtHjgKPUbzSTcLYUkwf8M2m51AjLrLrQ/J:+Vf/v6bl3tNXtoQcLs/M2mDAjPLA
Malware Config
Extracted
systembc
89.22.225.242:4193
195.2.93.22:4193
Signatures
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 24 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\TypeRes\DllResource.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\TypeRes\DllResource.exe"C:\Users\Admin\TypeRes\DllResource.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\a4ee9f4729596748dec32a90e27547c0.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 650013⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\TypeRes\DllResource.exeFilesize
681.4MB
MD5fd938c2ce3f8676c4a658a62e3df2b37
SHA1075f8e8e0173c4b0a8c6d63824907f05c22e9873
SHA2565dcda98fa043bdb57d11a1efdd1bc353ce23f6726d4612a6c3d603d82bf2451a
SHA512ac5ffaf665033489c9a1b8c77f428a54bb97298c8bd14e5ef9d94254170e434824d4597dca63c5e9609b2b5e0df36fe1e3725f51c4f76406852df8ab40860a9b
-
C:\Users\Admin\TypeRes\DllResource.exeFilesize
672.4MB
MD5101f6a7e8225dd60863b1536dd79e009
SHA111b5acd9793f4d797e33005328c32bc9c49dfeb0
SHA256a88d2ccbcfab970e92d37478189b4785abf9a7a72dc62b5015a0a1d5195ad123
SHA5120c6e2e6325702f728c749c30cc9260f6cd89cf5bab8db96118da2f695bc82ec2b87f49eab7bac1d76bcf608f93beb38d48fa2b1e22c6da590b975ce8898b46c8
-
memory/1040-154-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/1040-141-0x0000000000000000-mapping.dmp
-
memory/1040-158-0x00000000011D0000-0x0000000001261000-memory.dmpFilesize
580KB
-
memory/1040-157-0x0000000003A64000-0x0000000003BE3000-memory.dmpFilesize
1.5MB
-
memory/1040-156-0x00000000032CA000-0x0000000003A5A000-memory.dmpFilesize
7.6MB
-
memory/1040-155-0x0000000003A64000-0x0000000003BE3000-memory.dmpFilesize
1.5MB
-
memory/1040-149-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/1040-159-0x00000000011D0000-0x0000000001261000-memory.dmpFilesize
580KB
-
memory/1040-160-0x0000000001110000-0x0000000001117000-memory.dmpFilesize
28KB
-
memory/1040-163-0x00000000011D0000-0x0000000001261000-memory.dmpFilesize
580KB
-
memory/1040-144-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1040-152-0x00000000032CA000-0x0000000003A5A000-memory.dmpFilesize
7.6MB
-
memory/1040-153-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/1596-145-0x0000000000000000-mapping.dmp
-
memory/3300-150-0x0000000000000000-mapping.dmp
-
memory/4420-139-0x0000000003AFA000-0x0000000003C79000-memory.dmpFilesize
1.5MB
-
memory/4420-148-0x0000000003AFA000-0x0000000003C79000-memory.dmpFilesize
1.5MB
-
memory/4420-147-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/4420-146-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/4420-132-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/4420-138-0x0000000003350000-0x0000000003AE0000-memory.dmpFilesize
7.6MB
-
memory/4420-137-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/4420-136-0x0000000000400000-0x0000000001022000-memory.dmpFilesize
12.1MB
-
memory/4420-135-0x0000000003AFA000-0x0000000003C79000-memory.dmpFilesize
1.5MB
-
memory/4420-134-0x0000000003350000-0x0000000003AE0000-memory.dmpFilesize
7.6MB
-
memory/4420-133-0x0000000077BD0000-0x0000000077D73000-memory.dmpFilesize
1.6MB
-
memory/4544-151-0x0000000000000000-mapping.dmp
-
memory/4592-140-0x0000000000000000-mapping.dmp