Overview

overview

10

Static

static

688d65ac7f...ba.exe

windows7-x64

10

688d65ac7f...ba.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    12-01-2023 15:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    688d65ac7f7320069527a498d55ef4ba.exe

  • Size

    1.6MB

  • MD5

    688d65ac7f7320069527a498d55ef4ba

  • SHA1

    e1f2ef3e5f79d96112b127507be0ecf68d053dfe

  • SHA256

    bb85e49014f9b6f09e73f32fe5a695549b6b3bf4656cb0041bde68e66f25f54d

  • SHA512

    bb77d183f5a7b2d07631f79ecf04d4d7ee76e09057ca282df42090b042bf15afacc172cff28d3835c0d63a012f50e22d5eebd48b3ffa17b5cac3ed67abe16092

  • SSDEEP

    24576:g+rjlPyhYziEkqwiX0tDSS1nTa8EjP4OS5lC6faMJLCK8Tmm8qXjUwUk0mW6C:NVPyCzidqwqxO5xL9tmPow9TWb

Score
10/10
systembcevasiontrojan

Malware Config

Extracted

Family

systembc

C2

31.41.244.235:4440

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\688d65ac7f7320069527a498d55ef4ba.exe
    "C:\Users\Admin\AppData\Local\Temp\688d65ac7f7320069527a498d55ef4ba.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    PID:1252
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {2087329C-11F0-41FE-ABF0-FD97CA18507E} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1780
    • C:\Users\Admin\AppData\Local\Temp\688d65ac7f7320069527a498d55ef4ba.exe
      C:\Users\Admin\AppData\Local\Temp\688d65ac7f7320069527a498d55ef4ba.exe start
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:1248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1248-57-0x0000000000000000-mapping.dmp

    Download

  • memory/1248-59-0x0000000000400000-0x000000000083F000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1248-61-0x0000000000400000-0x000000000083F000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1252-54-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1252-55-0x0000000000400000-0x000000000083F000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1252-56-0x00000000779F0000-0x0000000077B70000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1252-60-0x0000000000400000-0x000000000083F000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1252-62-0x0000000000400000-0x000000000083F000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1252-63-0x00000000779F0000-0x0000000077B70000-memory.dmp

    Filesize

    1.5MB

    Download