Malware Analysis Report

2025-04-03 09:41

Sample ID 230425-rb5agsag33
Target file.exe
SHA256 af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Drops startup file

Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-25 14:02

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-25 14:02

Reported

2023-04-25 14:04

Platform

win7-20230220-en

Max time kernel

147s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

SystemBC

trojan systembc

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 804 set thread context of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1672 wrote to memory of 1256 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1256 wrote to memory of 564 N/A C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 564 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
PID 908 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 908 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 908 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 908 wrote to memory of 804 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 908 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 908 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 804 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp

"C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp" /SL5="$70126,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-

C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp

"C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp" /SL5="$80126,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"

Network

Country Destination Domain Proto
NL 5.45.73.25:4246 tcp

Files

memory/1672-54-0x0000000000400000-0x0000000000436000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

\Users\Admin\AppData\Local\Temp\is-T96N9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-T96N9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1672-73-0x0000000000400000-0x0000000000436000-memory.dmp

memory/564-70-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1256-69-0x0000000000400000-0x0000000000582000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

\Users\Admin\AppData\Local\Temp\is-NV4CQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\is-NV4CQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-NV4CQ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/908-90-0x0000000000240000-0x0000000000241000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/908-101-0x0000000000400000-0x0000000000582000-memory.dmp

memory/564-103-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 1a1225d2f25de2d1d1134d4e444cfee0
SHA1 482d3466846d4dd5a94db1bca7bc7904064e5da7
SHA256 c653c4aa6971f1dbb0fa7a68bcbb82fffd0c230e82927a923916ec6c1975b742
SHA512 92984bfc2d6a608ef460de16ea927c7f72aea5f53e8259e24383e4295eb8581e282b42c2a04b9714add1f794a8c7473cbaf830535ddc18b551a6d3737c46c06d

memory/804-106-0x0000000000230000-0x0000000000231000-memory.dmp

memory/804-105-0x0000000000230000-0x0000000000231000-memory.dmp

memory/804-107-0x0000000000230000-0x0000000000231000-memory.dmp

memory/804-109-0x0000000000250000-0x0000000000251000-memory.dmp

memory/804-110-0x0000000000250000-0x0000000000251000-memory.dmp

memory/804-108-0x0000000000250000-0x0000000000251000-memory.dmp

memory/804-112-0x0000000000260000-0x0000000000261000-memory.dmp

memory/804-113-0x0000000000260000-0x0000000000261000-memory.dmp

memory/804-115-0x0000000000270000-0x0000000000271000-memory.dmp

memory/804-116-0x0000000000270000-0x0000000000271000-memory.dmp

memory/804-118-0x0000000000290000-0x0000000000291000-memory.dmp

memory/804-119-0x0000000000290000-0x0000000000291000-memory.dmp

memory/804-122-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/804-121-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/804-124-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/804-123-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/804-125-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/804-126-0x0000000000400000-0x0000000000D54000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/2008-131-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-132-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-133-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-134-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-135-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-136-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2008-137-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/2008-140-0x0000000000400000-0x0000000000406000-memory.dmp

memory/2008-141-0x0000000000400000-0x0000000000406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-25 14:02

Reported

2023-04-25 14:04

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

SystemBC

trojan systembc

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2420 set thread context of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4960 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp
PID 4960 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp
PID 4960 wrote to memory of 5080 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp
PID 5080 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 5080 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 5080 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp C:\Users\Admin\AppData\Local\Temp\file.exe
PID 1872 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp
PID 1872 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp
PID 1872 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp
PID 3464 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 3464 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 3464 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 3464 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 3464 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 2420 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp" /SL5="$7004E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-

C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp" /SL5="$8004E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"

Network

Country Destination Domain Proto
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
NL 5.45.73.25:4246 tcp
US 8.8.8.8:53 25.73.45.5.in-addr.arpa udp
US 52.152.108.96:443 tcp
GB 51.105.71.136:443 tcp
NL 8.253.208.120:80 tcp
US 8.8.8.8:53 203.151.224.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp

Files

memory/4960-133-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

memory/5080-143-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1872-146-0x0000000000400000-0x0000000000436000-memory.dmp

memory/5080-148-0x0000000000400000-0x0000000000582000-memory.dmp

memory/4960-149-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

memory/3464-156-0x0000000000740000-0x0000000000741000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AF97P.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/3464-170-0x0000000000400000-0x0000000000582000-memory.dmp

memory/1872-171-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 1a1225d2f25de2d1d1134d4e444cfee0
SHA1 482d3466846d4dd5a94db1bca7bc7904064e5da7
SHA256 c653c4aa6971f1dbb0fa7a68bcbb82fffd0c230e82927a923916ec6c1975b742
SHA512 92984bfc2d6a608ef460de16ea927c7f72aea5f53e8259e24383e4295eb8581e282b42c2a04b9714add1f794a8c7473cbaf830535ddc18b551a6d3737c46c06d

memory/2420-173-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/2420-174-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/2420-178-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/2420-177-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/2420-176-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/2420-175-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/2420-179-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/2420-180-0x0000000000400000-0x0000000000D54000-memory.dmp

memory/3068-187-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3068-184-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/3068-188-0x0000000000400000-0x0000000000406000-memory.dmp