Malware Analysis Report

2025-04-03 09:39

Sample ID 230506-n6b1msha74
Target scks.exe
SHA256 6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871
Tags
systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f78256f20eb2b5594391095a341f8749395e7566fdd2ddd3a34a0db9bb9f871

Threat Level: Known bad

The file scks.exe was found to be: Known bad.

Malicious Activity Summary

systembc persistence trojan

SystemBC

Adds Run key to start application

Unsigned PE

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-06 12:00

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-06 12:00

Reported

2023-05-06 12:02

Platform

win10v2004-20230220-en

Max time kernel

134s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\scks.exe"

Signatures

SystemBC

trojan systembc

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\scks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\scks.exe'\"" C:\Users\Admin\AppData\Local\Temp\scks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\scks.exe

"C:\Users\Admin\AppData\Local\Temp\scks.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 20.189.173.5:443 tcp
NL 8.238.20.126:80 tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
BE 23.55.97.181:80 tcp
US 131.253.33.203:80 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 93.184.221.240:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 15.204.166.162:5757 tcp
US 8.8.8.8:53 162.166.204.15.in-addr.arpa udp

Files

memory/4196-133-0x00000000001C0000-0x00000000002B3000-memory.dmp

memory/4196-134-0x00000000012E0000-0x00000000012E6000-memory.dmp

memory/4196-135-0x00000000001C0000-0x00000000002B3000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-06 12:00

Reported

2023-05-06 12:02

Platform

win7-20230220-en

Max time kernel

132s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\scks.exe"

Signatures

SystemBC

trojan systembc

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\scks.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& ''\"" C:\Users\Admin\AppData\Local\Temp\scks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\scks.exe

"C:\Users\Admin\AppData\Local\Temp\scks.exe"

Network

Country Destination Domain Proto
US 15.204.166.162:5757 tcp

Files

memory/2008-54-0x0000000000130000-0x0000000000136000-memory.dmp

memory/2008-55-0x0000000000CF0000-0x0000000000DE3000-memory.dmp