Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/11/2022, 18:10

General

  • Target

    cd48383befb4dce49fb855d64f500ca1.exe

  • Size

    1.2MB

  • MD5

    cd48383befb4dce49fb855d64f500ca1

  • SHA1

    af506733441826dbd789c972a2d627038c0c80af

  • SHA256

    040aa152e739826874a268f4ffb8be80dd256e7817cdb2c25329d25a5264671e

  • SHA512

    193aa7aae1f12f70b692e4bf5ac7ce8846256da76cbbdc68c1a9fe5746931cb92196ea1505ed49aab81bd45616eb7811940fbd29a83383ed95dd5f0336a9183f

  • SSDEEP

    24576:jolGO8/6YpXCGf+SK/ftRnMh9+bTLWdaVom4v7FF:j0GL6YpZmSat5LWdNhF

Score
10/10

Malware Config

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2548
      • C:\Users\Admin\AppData\Local\Temp\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
        2⤵
        • Executes dropped EXE
        PID:2156
    • C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe
      "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"
      1⤵
      • Checks computer location settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
        2⤵
        • Creates scheduled task(s)
        PID:1168
      • C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe
        "C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          3⤵
            PID:4660
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\cd48383befb4dce49fb855d64f500ca1.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4208
          • C:\Windows\SysWOW64\chcp.com
            chcp 65001
            3⤵
              PID:5048
            • C:\Windows\SysWOW64\PING.EXE
              ping 127.0.0.1
              3⤵
              • Runs ping.exe
              PID:2636

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\advapi32.dll

                Filesize

                428KB

                MD5

                4880886732471a6abbb919b2d9c94e03

                SHA1

                78d331eeff674b95bf5d9756a0da7c60b0dee7b4

                SHA256

                c1f5411008304f15bcc5fa281bd9ee8eae70948f2a58db190290adaf259dcee0

                SHA512

                b755b402d051d6ff777249ba5eb4754eeeb2a2c47baeb1d69dac3b7e67e88aa5ef83027a41fbfaf7e170cb2ec0f15065d8bb529f989fb15319d4c143b4900432

              • C:\Users\Admin\AppData\Local\Temp\svchost.exe

                Filesize

                1.8MB

                MD5

                e716ffae131666d5e0e77e5d479b1e37

                SHA1

                42fea83d3a19beecb25d2c5bd46e547bb4a09319

                SHA256

                32684b073e05d41b49611a2d49f25d4d53ca8182d5de134bc7a4924158bc577b

                SHA512

                c559c52b40c5b593e0687d05c9ed54229b0eb62a517940caaecc6d09aa4d21bdc129552cfcd31509e4f5c35be069ee617457ce047460cc6a23270499ca14f75c

              • C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

                Filesize

                769.2MB

                MD5

                87f8d18b597845376f06754a6cebf08b

                SHA1

                2585ce8d6f20de0da137f8cb87c47a547f6de4f3

                SHA256

                7d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f

                SHA512

                4089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292

              • C:\Users\Admin\goxijag kaqu rabojer\fofew gequa botovib moca loja faromemo sow nexonide hete.exe

                Filesize

                769.2MB

                MD5

                87f8d18b597845376f06754a6cebf08b

                SHA1

                2585ce8d6f20de0da137f8cb87c47a547f6de4f3

                SHA256

                7d8b26b5e0b54b824fbaee47222ec1401b8de4a757e3b6533fd6ca33fd023b4f

                SHA512

                4089986fddcd7da6560a1028c3e77d16e26ec6191aae70467c0fafeffbc2d2999f3b48f0bdba0bfbe12f9730511efedcb33ff244c921a2cd7452eef162591292

              • memory/2156-159-0x0000000002800000-0x0000000002DCB000-memory.dmp

                Filesize

                5.8MB

              • memory/4236-144-0x0000000002B3B000-0x0000000003022000-memory.dmp

                Filesize

                4.9MB

              • memory/4236-160-0x000000000303A000-0x0000000003130000-memory.dmp

                Filesize

                984KB

              • memory/4236-149-0x0000000001150000-0x000000000119B000-memory.dmp

                Filesize

                300KB

              • memory/4236-145-0x0000000002B3B000-0x0000000003022000-memory.dmp

                Filesize

                4.9MB

              • memory/4236-146-0x000000000303A000-0x0000000003130000-memory.dmp

                Filesize

                984KB

              • memory/4236-147-0x000000000303A000-0x0000000003130000-memory.dmp

                Filesize

                984KB

              • memory/4236-148-0x0000000001150000-0x000000000119B000-memory.dmp

                Filesize

                300KB

              • memory/4660-151-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

              • memory/4660-153-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

              • memory/4660-155-0x0000000000400000-0x0000000000407000-memory.dmp

                Filesize

                28KB

              • memory/4900-132-0x00000000031EB000-0x00000000036D2000-memory.dmp

                Filesize

                4.9MB

              • memory/4900-135-0x0000000003093000-0x0000000003189000-memory.dmp

                Filesize

                984KB

              • memory/4900-134-0x00000000031EB000-0x00000000036D2000-memory.dmp

                Filesize

                4.9MB

              • memory/4900-133-0x0000000003093000-0x0000000003189000-memory.dmp

                Filesize

                984KB

              • memory/4900-141-0x0000000003093000-0x0000000003189000-memory.dmp

                Filesize

                984KB