Malware Analysis Report

2025-05-05 23:59

Sample ID 230207-23s2msfe4x
Target 329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54
SHA256 329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54

Threat Level: Known bad

The file 329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54 was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Blocklisted process makes network request

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-02-07 23:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-07 23:06

Reported

2023-02-07 23:09

Platform

win10v2004-20220812-en

Max time kernel

132s

Max time network

144s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54.dll,#1

Signatures

SystemBC

trojan systembc

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4656 wrote to memory of 4860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4656 wrote to memory of 4860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4656 wrote to memory of 4860 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\329501486d4922ccf3a28e8ecf0046151e7106dc31ea6df33670d0d15d10cf54.dll,#1

Network

Country Destination Domain Proto
US 52.168.117.170:443 tcp
RU 212.118.36.165:4193 tcp

Files

memory/4860-132-0x0000000000000000-mapping.dmp

memory/4860-133-0x0000000010000000-0x000000001013B000-memory.dmp

memory/4860-134-0x0000000000B40000-0x0000000000C58000-memory.dmp

memory/4860-135-0x00000000005E0000-0x00000000005E4000-memory.dmp

memory/4860-136-0x00000000008D0000-0x00000000008D3000-memory.dmp

memory/4860-137-0x00000000008D0000-0x00000000008D3000-memory.dmp

memory/4860-138-0x00000000008D0000-0x00000000008D4000-memory.dmp

memory/4860-139-0x00000000008E0000-0x00000000008E3000-memory.dmp

memory/4860-140-0x0000000000900000-0x0000000000903000-memory.dmp

memory/4860-142-0x00000000008D0000-0x00000000008D3000-memory.dmp

memory/4860-141-0x00000000008D0000-0x00000000008D3000-memory.dmp

memory/4860-143-0x00000000008D0000-0x00000000008D4000-memory.dmp