Malware Analysis Report

2024-11-30 23:31

Sample ID 230814-t34jdafe51
Target tmp
SHA256 3a7c97b376896da090d87dc501625425514cdcf7590825a8ca41346d7c6592c3
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3a7c97b376896da090d87dc501625425514cdcf7590825a8ca41346d7c6592c3

Threat Level: Known bad

The file tmp was found to be: Known bad.

Malicious Activity Summary

systembc trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

SystemBC

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-14 16:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-14 16:35

Reported

2023-08-14 16:38

Platform

win7-20230712-en

Max time kernel

145s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 mayo.edu udp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp
US 129.176.1.88:443 mayo.edu tcp

Files

memory/2264-53-0x0000000000400000-0x00000000007F2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-14 16:35

Reported

2023-08-14 16:38

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

129s

Command Line

C:\Windows\Explorer.EXE

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4912 created 3164 N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe C:\Windows\Explorer.EXE

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3840 set thread context of 1936 N/A C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe C:\Windows\SysWOW64\cmd.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp.exe"

C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe

"C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\SysWOW64\cmd.exe"

C:\Windows\SysWOW64\explorer.exe

C:\Windows\SysWOW64\explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 mayo.edu udp
US 129.176.1.88:443 mayo.edu tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 88.1.176.129.in-addr.arpa udp
US 8.8.8.8:53 www.mayo.edu udp
US 52.162.245.23:443 www.mayo.edu tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 23.245.162.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 i.imgur.com udp
NL 199.232.148.193:443 i.imgur.com tcp
US 8.8.8.8:53 193.148.232.199.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

memory/4912-134-0x00007FF9275E0000-0x00007FF92790D000-memory.dmp

C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe

MD5 b43b96e4483dce09976dc250f87ecf1a
SHA1 4290076db1e87a46b73e8391186025f1f5b492bb
SHA256 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12
SHA512 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438

memory/4912-140-0x0000000000400000-0x00000000007F2000-memory.dmp

memory/3840-141-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfium.dll

MD5 5253296effaf275e7239e52a6e3c76be
SHA1 3a07d2f3e83359d8998c7e11ee6e256e2cabdd7b
SHA256 bc7defe6891b955f977ae0d28036cea440e849209deeb9b58a693a11d359ee17
SHA512 669d549eba49e3d9fbaa1cf9775f5b4dc89784f336d14382389c1efb5a64b362bfea7a3e661bbdb816f5517acd66ebc0e8d3c9020f86b5a5dfc0774aa61a99f9

C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfium.dll

MD5 5253296effaf275e7239e52a6e3c76be
SHA1 3a07d2f3e83359d8998c7e11ee6e256e2cabdd7b
SHA256 bc7defe6891b955f977ae0d28036cea440e849209deeb9b58a693a11d359ee17
SHA512 669d549eba49e3d9fbaa1cf9775f5b4dc89784f336d14382389c1efb5a64b362bfea7a3e661bbdb816f5517acd66ebc0e8d3c9020f86b5a5dfc0774aa61a99f9

C:\Users\Admin\AppData\Roaming\KBDINDEV\ail.html

MD5 5bb10ce2d154345099373f632594b49a
SHA1 bdb91eb50e5dd610d00a8a9c8aa69c91ed063015
SHA256 b7dba474ec7726fcbf7ee3acb24a8ee08e808b57e44bfb5d5a91d74f475cba1c
SHA512 cb5729643ceb6d51c66f555bcd6fbaefcfa74b3309bafd22daf5c7dbbb4bf1df49d5539001fe21b5c29421ed9d3b1b7dbd375fb3de710e375839cbf878d7ebef

memory/3840-145-0x0000000074260000-0x00000000754B4000-memory.dmp

memory/3840-146-0x0000000000400000-0x0000000000C88000-memory.dmp

memory/3840-147-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

memory/1936-150-0x0000000074260000-0x00000000754B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2c390414

MD5 8bd06a484159c5b1505d62f144c1ae2b
SHA1 dfa3d37b46c429224a696255d9e5dd97f8835b6e
SHA256 b3290df1d7996e9b1b6d881c09040ad8e228a0814dd376a09619d9f399760f58
SHA512 67c4f8476075592cb62684b2b61148567ff86687d5b2018e3bfdc3d94c20751103555049ffd63e57f6f62ddad61a65c4687af85b03d10a32c10a4bf28814fa67

memory/1936-152-0x00007FF937ED0000-0x00007FF9380C5000-memory.dmp

C:\Users\Admin\AppData\Roaming\KBDINDEV\pdfreader.exe

MD5 b43b96e4483dce09976dc250f87ecf1a
SHA1 4290076db1e87a46b73e8391186025f1f5b492bb
SHA256 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12
SHA512 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438

memory/1936-156-0x0000000074260000-0x00000000754B4000-memory.dmp

memory/1936-157-0x0000000074260000-0x00000000754B4000-memory.dmp

memory/1936-160-0x0000000074260000-0x00000000754B4000-memory.dmp

memory/4944-161-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4944-162-0x00007FF937ED0000-0x00007FF9380C5000-memory.dmp

memory/4944-163-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4944-164-0x0000000000B80000-0x0000000000FB3000-memory.dmp

memory/4944-165-0x0000000000400000-0x0000000000408000-memory.dmp

memory/4944-166-0x0000000000400000-0x0000000000408000-memory.dmp