Malware Analysis Report

2025-04-03 09:42

Sample ID 230421-q8b5jahg5z
Target 926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.zip
SHA256 28e85f358edc05e8b745aa1e0253b3baed0d4083a2bbe92219e1b2c8ed25bc9a
Tags
systembc
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

28e85f358edc05e8b745aa1e0253b3baed0d4083a2bbe92219e1b2c8ed25bc9a

Threat Level: Known bad

The file 926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.zip was found to be: Known bad.

Malicious Activity Summary

systembc

Systembc family

Blocklisted process makes network request

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-21 13:55

Signatures

Systembc family

systembc

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-21 13:55

Reported

2023-04-21 13:58

Platform

win7-20230220-en

Max time kernel

30s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\C\ProgramData\Sentinel\AFUCache\926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1524 wrote to memory of 1568 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\C\ProgramData\Sentinel\AFUCache\926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\C\ProgramData\Sentinel\AFUCache\926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.dll,#1

Network

Country Destination Domain Proto
LT 93.115.25.41:443 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-21 13:55

Reported

2023-04-21 13:58

Platform

win10v2004-20230220-en

Max time kernel

80s

Max time network

136s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\C\ProgramData\Sentinel\AFUCache\926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1628 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1628 wrote to memory of 2932 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\C\ProgramData\Sentinel\AFUCache\926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\C\ProgramData\Sentinel\AFUCache\926fcb9483faa39dd93c8442e43af9285844a1fbbe493f3e4731bbbaecffb732.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 193.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
LT 93.115.25.41:443 tcp
US 8.8.8.8:53 41.25.115.93.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
NL 84.53.175.11:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

N/A