Overview

overview

10

Static

static

1

SecuriteIn...65.exe

windows7-x64

10

SecuriteIn...65.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-07-2023 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.FileRepMalware.1537.4965.exe

  • Size

    1.7MB

  • MD5

    571a3130d8dfa900c4f1fc443b18a69e

  • SHA1

    c1509161b2bd443739648475f39ee710dbbfe869

  • SHA256

    d91e0131e9a5854d8a2299742a4332bf127a185b72949d731d5e48aa87144f94

  • SHA512

    f07907f671b764768016c50f0e4a09a732ffdde6bd70cfc185c81ce9e4dd8eab2e7e423fb87e05d0b437f0a4fdaee8d36fa6b86045e498d9fed8ce7961fa529a

  • SSDEEP

    24576:juJN/7n6lbcu8oba51zj1SqdAGFQZIxvH7Gv3V8tZLAA9u45UJoeVO:86+u8o23zjYq+ZIPX9P5UJoek

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

ar.undata.cc:5320

ar1.undata.cc:5320

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1537.4965.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.1537.4965.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:944
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        3⤵
          PID:5108

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\212b701e
      Filesize

      434KB

      MD5

      bd9386965025921c43639211909d25f3

      SHA1

      66007cbffc4599812db7be160746bf9d95de0c65

      SHA256

      b5fda691921750675d7434f6ab57e2cab99c61197905ca60b16606560705c5cc

      SHA512

      29794008bff14bf38ab6c9deeebfce505684bd4fd7e3ee0626141f211da7027492001303b1667357cc758b91bbb702819fa2d1dcf920047bd9c1e09ee66a8aeb

      Download Submit

    • memory/944-133-0x0000000073FB0000-0x0000000075204000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4864-135-0x0000000073FB0000-0x0000000075204000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4864-137-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5108-139-0x00007FFF81730000-0x00007FFF81925000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/5108-140-0x0000000000B00000-0x0000000000B09000-memory.dmp

      Filesize

      36KB

      Download

    • memory/5108-141-0x00000000003C0000-0x00000000007F3000-memory.dmp

      Filesize

      4.2MB

      Download

    • memory/5108-142-0x0000000000B00000-0x0000000000B09000-memory.dmp

      Filesize

      36KB

      Download

    • memory/5108-144-0x0000000000B00000-0x0000000000B09000-memory.dmp

      Filesize

      36KB

      Download