Analysis

  • max time kernel
    68s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    10/11/2022, 13:02

General

  • Target

    dd3a5df905b4aca6028903b83919514a.exe

  • Size

    2.0MB

  • MD5

    dd3a5df905b4aca6028903b83919514a

  • SHA1

    801fc5875148a0a648e6e246dcbd1ce0ad6c007f

  • SHA256

    56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957

  • SHA512

    34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

  • SSDEEP

    49152:ML53Cyfyr0BZjZHInzzo74PgYwaL/Dftfss:G15qY3NozzRPeoDftf

Score
10/10

Malware Config

Extracted

Family

systembc

C2

slavelever.info:4248

slavelevereoewl.info:4248

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe
    "C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1048
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {6BA5B8A4-ED58-4357-8B18-308408FF3003} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe
      C:\Users\Admin\AppData\Local\Temp\dd3a5df905b4aca6028903b83919514a.exe start
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:888

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/888-59-0x0000000000400000-0x0000000000886000-memory.dmp

          Filesize

          4.5MB

        • memory/888-61-0x0000000077840000-0x00000000779C0000-memory.dmp

          Filesize

          1.5MB

        • memory/888-62-0x0000000000400000-0x0000000000886000-memory.dmp

          Filesize

          4.5MB

        • memory/888-64-0x0000000077840000-0x00000000779C0000-memory.dmp

          Filesize

          1.5MB

        • memory/1048-54-0x0000000000400000-0x0000000000886000-memory.dmp

          Filesize

          4.5MB

        • memory/1048-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

          Filesize

          8KB

        • memory/1048-56-0x0000000077840000-0x00000000779C0000-memory.dmp

          Filesize

          1.5MB

        • memory/1048-57-0x0000000000400000-0x0000000000886000-memory.dmp

          Filesize

          4.5MB

        • memory/1048-63-0x0000000077840000-0x00000000779C0000-memory.dmp

          Filesize

          1.5MB

        • memory/1048-65-0x0000000077840000-0x00000000779C0000-memory.dmp

          Filesize

          1.5MB