Overview

overview

10

Static

static

0e5be3896c...bf.exe

windows7-x64

10

0e5be3896c...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2022 07:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e5be3896c55c18c7a309bb9373defbf.exe

  • Size

    231KB

  • MD5

    0e5be3896c55c18c7a309bb9373defbf

  • SHA1

    dfaa36c3bdb7450be131c522e84f22f2da7ee6b1

  • SHA256

    e3df896880b51267bbbafeecf87a4c3b1c97a6a5dba9136f8731eac864424f13

  • SHA512

    1c0df34bdb37a67a9c0b6867f62ba439236e9ac8f8b242049f71fb7f959a1de99d8d0ae5b7b7e5dabab30062bc6dc6eccb5eb95ddbec07e43a374d5db8a44e14

  • SSDEEP

    3072:FcXNVVuNrkCwcPc6xC1pG5rQxO1/57LUYXu+6Doe0KwY:ecNrtwmE1Cz1iskn0c

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

45.182.189.231:443

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e5be3896c55c18c7a309bb9373defbf.exe
    "C:\Users\Admin\AppData\Local\Temp\0e5be3896c55c18c7a309bb9373defbf.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1180
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 492
      2⤵
      • Program crash
      PID:5044
  • C:\ProgramData\pnfvk\wkcq.exe
    C:\ProgramData\pnfvk\wkcq.exe start
    1⤵
    • Executes dropped EXE
    PID:3744
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1180 -ip 1180
    1⤵
      PID:3152

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\pnfvk\wkcq.exe
      Filesize

      231KB

      MD5

      0e5be3896c55c18c7a309bb9373defbf

      SHA1

      dfaa36c3bdb7450be131c522e84f22f2da7ee6b1

      SHA256

      e3df896880b51267bbbafeecf87a4c3b1c97a6a5dba9136f8731eac864424f13

      SHA512

      1c0df34bdb37a67a9c0b6867f62ba439236e9ac8f8b242049f71fb7f959a1de99d8d0ae5b7b7e5dabab30062bc6dc6eccb5eb95ddbec07e43a374d5db8a44e14

      Download Submit
    • C:\ProgramData\pnfvk\wkcq.exe
      Filesize

      231KB

      MD5

      0e5be3896c55c18c7a309bb9373defbf

      SHA1

      dfaa36c3bdb7450be131c522e84f22f2da7ee6b1

      SHA256

      e3df896880b51267bbbafeecf87a4c3b1c97a6a5dba9136f8731eac864424f13

      SHA512

      1c0df34bdb37a67a9c0b6867f62ba439236e9ac8f8b242049f71fb7f959a1de99d8d0ae5b7b7e5dabab30062bc6dc6eccb5eb95ddbec07e43a374d5db8a44e14

      Download Submit
    • memory/1180-132-0x000000000071E000-0x000000000072E000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1180-133-0x0000000000580000-0x0000000000589000-memory.dmp
      Filesize

      36KB

      Download
    • memory/1180-134-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download
    • memory/1180-135-0x000000000071E000-0x000000000072E000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1180-140-0x000000000071E000-0x000000000072E000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3744-138-0x00000000005FA000-0x000000000060A000-memory.dmp
      Filesize

      64KB

      Download
    • memory/3744-139-0x0000000000400000-0x000000000043E000-memory.dmp
      Filesize

      248KB

      Download