Analysis
-
max time kernel
598s -
max time network
601s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
22-02-2023 10:35
General
-
Target
40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe
-
Size
7.2MB
-
MD5
9606143c857bbfe1b1da8e3d1fa9ae0e
-
SHA1
cb3a1b1d8e6acbe46c96b5b159a7be2d372b3cc6
-
SHA256
40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b
-
SHA512
2e118c618265b8769b15dff8add661c60f17afd46365773ca22e359b03a765c83a7f316057045293a71b53a889771fadf54e6ac1ee3fd9b3a7437f266f8af08b
-
SSDEEP
196608:jeuNPzUCugRPeW7R9dGfqEjirb49GOD2MpkB:CmZB77R9d0q1A9GLM
Malware Config
Extracted
systembc
31.222.238.58:4280
192.168.1.28:4280
Signatures
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 40 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe"C:\Users\Admin\AppData\Local\Temp\40003d01db9c34da73a415792dba3a617fab65e91d2aae7bbbcd335af198a66b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c tzutil /g2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tzutil.exetzutil /g3⤵
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exe"4⤵
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe"C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd" /c ping 127.0.0.1 -n 39 > nul && copy "C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exe" "C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe" && ping 127.0.0.1 -n 39 > nul && "C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 394⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 394⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe"C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\mozglue.dllFilesize
593KB
MD5c8fd9be83bc728cc04beffafc2907fe9
SHA195ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040
-
C:\ProgramData\nss3.dllFilesize
2.0MB
MD51cc453cdf74f31e4d913ff9c10acdde2
SHA16e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5f755f3962d368bfe5e0b1f3ebc52fd0b
SHA1a40a7e9fdfb8b4a7d00cd4add79e33e7e4a51e1a
SHA256de68a9d3d60411a88f915828e6c3d3e6d5f7083f96047d7580c2ffd4168913ef
SHA512dbba32c6a9831e969d6d5f1e0e4fe1c1944954b36d9b2663998f45f1cc546e213e93c20028b4885728d786a77524cf09e19626c84bb8f868eb1011ab472f9453
-
C:\Users\Admin\AppData\Local\Temp\GIECFIEGDB.exeFilesize
3KB
MD5d9191ae8aa27233dedd887afcc8765b4
SHA129e157aa11a024e08ab01c65393b2f38cda77093
SHA25606141fdbc8f4bbb21d0a16cc89c03d07b24e84360002bf7415d715c62c25040d
SHA5123f8cf46484690ef3eba9a8b48e8f6a4ec718ea6d7043a0cb2faca95ecd2715b9ef1e2df4756a63b580e333a01c545c586719433d6b46912ce794a000774083ea
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exeFilesize
420KB
MD5e85fa08c1ed20440363e2e44eced6299
SHA1e0867a371a5c6bfdf6bd84470b188f0817b4d23a
SHA256c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e
SHA51273bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\MsMpEng.exeFilesize
420KB
MD5e85fa08c1ed20440363e2e44eced6299
SHA1e0867a371a5c6bfdf6bd84470b188f0817b4d23a
SHA256c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e
SHA51273bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exeFilesize
584KB
MD5c32c03cf9a70ade1d4efc11853cd0225
SHA111ed71198457e158e15cc3e157dc7b979951d7e1
SHA256b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02
SHA51213b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exeFilesize
584KB
MD5c32c03cf9a70ade1d4efc11853cd0225
SHA111ed71198457e158e15cc3e157dc7b979951d7e1
SHA256b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02
SHA51213b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b
-
C:\Users\Admin\AppData\Roaming\WindowsInstaller\Runtime Broker.exeFilesize
584KB
MD5c32c03cf9a70ade1d4efc11853cd0225
SHA111ed71198457e158e15cc3e157dc7b979951d7e1
SHA256b51beb1c3f5b26d7766492130826d5f985a05b72b628a257a06494999a054c02
SHA51213b2ec3e400ef25596eb13e891ffdc7e9b6492a4cf0733b48252d2c1d273ab4fcbe0d843b00f1e491eaff339fa2a1cd68a59366e36cf24a0f1e2a45b7f8df20b
-
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exeFilesize
420KB
MD5e85fa08c1ed20440363e2e44eced6299
SHA1e0867a371a5c6bfdf6bd84470b188f0817b4d23a
SHA256c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e
SHA51273bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf
-
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exeFilesize
420KB
MD5e85fa08c1ed20440363e2e44eced6299
SHA1e0867a371a5c6bfdf6bd84470b188f0817b4d23a
SHA256c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e
SHA51273bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf
-
C:\Users\Admin\AppData\Roaming\ncache\pu5xtvhm.exeFilesize
420KB
MD5e85fa08c1ed20440363e2e44eced6299
SHA1e0867a371a5c6bfdf6bd84470b188f0817b4d23a
SHA256c1f5b88413bef3bc89aacd544847d5690fe17247b10d5922e59e4cbc6c37707e
SHA51273bc5a867c7b86f32257f43167c1816b9087a0fc6d70f1500194821abbdfcaddb4f79325e0b24837fabb9594284ff9bb7b180de5fc0264287a6345b146ffcfbf
-
memory/456-172-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-168-0x0000000000E50000-0x0000000000EBE000-memory.dmpFilesize
440KB
-
memory/456-174-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-176-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-177-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-178-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-179-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-180-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-181-0x0000000005300000-0x0000000005310000-memory.dmpFilesize
64KB
-
memory/456-170-0x0000000004FC0000-0x0000000005052000-memory.dmpFilesize
584KB
-
memory/456-173-0x0000000002890000-0x000000000289A000-memory.dmpFilesize
40KB
-
memory/456-171-0x0000000005070000-0x000000000510C000-memory.dmpFilesize
624KB
-
memory/456-169-0x0000000005620000-0x0000000005BC4000-memory.dmpFilesize
5.6MB
-
memory/972-183-0x0000000000980000-0x0000000000988000-memory.dmpFilesize
32KB
-
memory/972-159-0x0000000000580000-0x0000000000581000-memory.dmpFilesize
4KB
-
memory/972-189-0x0000000000980000-0x0000000000988000-memory.dmpFilesize
32KB
-
memory/2580-280-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2580-282-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/2580-283-0x0000000000400000-0x0000000000406000-memory.dmpFilesize
24KB
-
memory/3656-184-0x0000000000400000-0x000000000062D000-memory.dmpFilesize
2.2MB
-
memory/3656-190-0x0000000000030000-0x0000000000031000-memory.dmpFilesize
4KB
-
memory/3656-192-0x0000000000400000-0x000000000062D000-memory.dmpFilesize
2.2MB
-
memory/3656-262-0x0000000000400000-0x000000000062D000-memory.dmpFilesize
2.2MB
-
memory/3656-264-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/3656-191-0x0000000000400000-0x0000000000628000-memory.dmpFilesize
2.2MB
-
memory/3656-187-0x0000000000400000-0x000000000062D000-memory.dmpFilesize
2.2MB
-
memory/3656-193-0x0000000061E00000-0x0000000061EF3000-memory.dmpFilesize
972KB
-
memory/4312-151-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4312-140-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4312-137-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4312-133-0x0000000000940000-0x00000000013B4000-memory.dmpFilesize
10.5MB
-
memory/4808-273-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-275-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-276-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-277-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-278-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-279-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-274-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-272-0x0000000004C30000-0x0000000004C40000-memory.dmpFilesize
64KB
-
memory/4808-271-0x0000000000570000-0x00000000005DE000-memory.dmpFilesize
440KB