Overview

overview

10

Static

static

1

b05920b00f...66.exe

windows7-x64

10

b05920b00f...66.exe

windows10-1703-x64

10

b05920b00f...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1803s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-03-2023 13:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b05920b00f2252b5060c6a6b0dbe4df78973754a8044598c65fc7ad60b498e66.exe

  • Size

    944KB

  • MD5

    c962299aa7f1294524a03cb2c7925f14

  • SHA1

    2c3a73a02cf691248c5ecaa1d2111f9b0c197713

  • SHA256

    b05920b00f2252b5060c6a6b0dbe4df78973754a8044598c65fc7ad60b498e66

  • SHA512

    9dd66ddce441cb20ca296ddc9ba9023c397ef27ca6974fec8f6bd5e0b12167154f91606a1216bc745d7aa8babcf1677c005120b8c56bb4ab8583a3a796f19d7b

  • SSDEEP

    24576:K5VTOzE3lI8hzkn1L2eEFk/6cXJ/dEI56q2A/Te:IcE1rzk1ahFYXJl75h1/T

Score
10/10
systembcpersistencetrojan

Malware Config

Extracted

Family

systembc

C2

31.222.238.58:4280

192.168.1.28:4280

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b05920b00f2252b5060c6a6b0dbe4df78973754a8044598c65fc7ad60b498e66.exe
    "C:\Users\Admin\AppData\Local\Temp\b05920b00f2252b5060c6a6b0dbe4df78973754a8044598c65fc7ad60b498e66.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4416
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:3688

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nnpv423.orb.ps1
      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

      Download Submit
    • memory/3688-169-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3688-168-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download
    • memory/3688-165-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download
    • memory/4024-127-0x0000000004C70000-0x0000000004C76000-memory.dmp
      Filesize

      24KB

      Download
    • memory/4024-126-0x0000000004EB0000-0x0000000004F50000-memory.dmp
      Filesize

      640KB

      Download
    • memory/4024-121-0x0000000000210000-0x0000000000302000-memory.dmp
      Filesize

      968KB

      Download
    • memory/4024-128-0x0000000005080000-0x00000000050A2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4024-129-0x0000000005770000-0x0000000005AC0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4024-122-0x0000000004D60000-0x0000000004D70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4024-123-0x0000000004AA0000-0x0000000004B78000-memory.dmp
      Filesize

      864KB

      Download
    • memory/4024-124-0x0000000005270000-0x000000000576E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/4024-157-0x0000000004D60000-0x0000000004D70000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4024-125-0x0000000004CA0000-0x0000000004D32000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4416-138-0x0000000007C40000-0x0000000007C5C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/4416-137-0x0000000007CE0000-0x0000000007D46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4416-139-0x0000000008660000-0x00000000086AB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4416-140-0x0000000008470000-0x00000000084E6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4416-136-0x0000000007C70000-0x0000000007CD6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4416-155-0x0000000009B50000-0x000000000A1C8000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4416-156-0x0000000009270000-0x000000000928A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4416-135-0x0000000004D30000-0x0000000004D40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4416-158-0x0000000004D30000-0x0000000004D40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4416-159-0x0000000004D30000-0x0000000004D40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4416-134-0x0000000004D30000-0x0000000004D40000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4416-133-0x00000000073F0000-0x0000000007A18000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4416-132-0x0000000004C90000-0x0000000004CC6000-memory.dmp
      Filesize

      216KB

      Download