Overview

overview

10

Static

static

1

b1d156c496...f5.exe

windows7-x64

10

b1d156c496...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    85s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-04-2023 09:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1d156c496219977a9cd4355094613f5.exe

  • Size

    1.1MB

  • MD5

    b1d156c496219977a9cd4355094613f5

  • SHA1

    2f0476f22e05455ff4e56171438d16ff87291ea5

  • SHA256

    a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3

  • SHA512

    cf2b36778aa5a54b082de89b9e0e4404e00cf634ba9d7cfe8a8f21a8a39be0787a042328688af18f6fe6a144d869a73100267e1301cfbbd0701c7c3595dc81cc

  • SSDEEP

    24576:kob9rHzThqel1mK5XJent7IL+PYL65XPr5JfQZZ0WgisS:kE9TTRlvS5YL6ptJfQZiWg3S

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

45.138.74.200:4001

212.8.244.5:4001

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe
    "C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4416
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4332
    • C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
      "C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4472
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\SysWOW64\chcp.com
        chcp 65001
        3⤵
          PID:5092
        • C:\Windows\SysWOW64\PING.EXE
          ping 127.0.0.1
          3⤵
          • Runs ping.exe
          PID:4092

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Remote System Discovery

    1
    T1018

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
      Filesize

      752.1MB

      MD5

      d852d875a402fdb6596a20c00d527ca7

      SHA1

      c6d9a225b28e710ca7763e8a73845d0d259aa92f

      SHA256

      c4c469c8c6a93e6ae49192da6d72abf516d20f6d1696f9499d7d20d3e19d3237

      SHA512

      de29c8f849e3798a5a8137a748b65d3e72fc2f9303a26207fd420109d296cf220f3e03a8629cef90b776e08f25f39a122c67b5d397907294cbef3348ea2bce66

      Download Submit
    • C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
      Filesize

      690.1MB

      MD5

      079889f810705b3eddbc547d4d6c7f41

      SHA1

      a351109a048d5142ccc84c944367c9cde1dc8b66

      SHA256

      9a5c05f7a4931a22d18b37e656a7113c3fab3a511ae009b2783156d469b51d2a

      SHA512

      eeec33eab3d21842a3d79205e3adba5a8e7388213fa86f68182a10c7ff53fcc20770cb30dc30ebf29015009f1e864d4044c66db447756a6dc42ea2d7746bdf1b

      Download Submit
    • C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
      Filesize

      752.1MB

      MD5

      d852d875a402fdb6596a20c00d527ca7

      SHA1

      c6d9a225b28e710ca7763e8a73845d0d259aa92f

      SHA256

      c4c469c8c6a93e6ae49192da6d72abf516d20f6d1696f9499d7d20d3e19d3237

      SHA512

      de29c8f849e3798a5a8137a748b65d3e72fc2f9303a26207fd420109d296cf220f3e03a8629cef90b776e08f25f39a122c67b5d397907294cbef3348ea2bce66

      Download Submit
    • memory/4472-144-0x000000000F7E0000-0x000000000F82B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/4472-145-0x0000000000400000-0x0000000000406000-memory.dmp
      Filesize

      24KB

      Download