Malware Analysis Report

2024-11-30 23:24

Sample ID 230913-qbdl4abh9w
Target 33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll
SHA256 33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7
Tags
systembc
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7

Threat Level: Known bad

The file 33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll was found to be: Known bad.

Malicious Activity Summary

systembc

Systembc family

Blocklisted process makes network request

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-13 13:04

Signatures

Systembc family

systembc

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-13 13:04

Reported

2023-09-13 13:07

Platform

win7-20230831-en

Max time kernel

120s

Max time network

135s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2344 wrote to memory of 2368 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll,#1

Network

Country Destination Domain Proto
US 45.61.136.241:4001 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-13 13:04

Reported

2023-09-13 13:07

Platform

win10v2004-20230831-en

Max time kernel

124s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll,#1

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1784 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1784 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\33626834ce190f58584d566022ca50ff38f6b34d0231944ef0d27bd7ab7ae6b7_JC.dll,#1

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 25.178.78.104.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 45.61.136.241:4001 tcp
US 8.8.8.8:53 241.136.61.45.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 137.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 226.162.46.104.in-addr.arpa udp

Files

memory/3136-0-0x00000106F5940000-0x00000106F5950000-memory.dmp

memory/3136-16-0x00000106F5A40000-0x00000106F5A50000-memory.dmp

memory/3136-32-0x00000106FDFC0000-0x00000106FDFC1000-memory.dmp

memory/3136-33-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-34-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-35-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-36-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-37-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-38-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-39-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-40-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-41-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-42-0x00000106FDFF0000-0x00000106FDFF1000-memory.dmp

memory/3136-43-0x00000106FDC10000-0x00000106FDC11000-memory.dmp

memory/3136-44-0x00000106FDC00000-0x00000106FDC01000-memory.dmp

memory/3136-46-0x00000106FDC10000-0x00000106FDC11000-memory.dmp

memory/3136-49-0x00000106FDC00000-0x00000106FDC01000-memory.dmp

memory/3136-52-0x00000106FDB40000-0x00000106FDB41000-memory.dmp

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

MD5 2999d9f684637452d383c6dc71d4f58c
SHA1 dd044e6ca7c45f53c27a3653b63f3d98bc0a2a0c
SHA256 34cb9a75db6a5ff754eb2b56beccee8a5b3b7b6a1fc07caa46dd4ad3cf077ff6
SHA512 65da4b7f07695d7427a635d446b6efb4175c2a71ce0ba036c438b7f8aa51a768634ab4f55e539e92d699e8c702ea1828e4708393dc650e3addb05cc1a5ed3bfb

memory/3136-64-0x00000106FDD40000-0x00000106FDD41000-memory.dmp

memory/3136-66-0x00000106FDD50000-0x00000106FDD51000-memory.dmp

memory/3136-67-0x00000106FDD50000-0x00000106FDD51000-memory.dmp

memory/3136-68-0x00000106FDE60000-0x00000106FDE61000-memory.dmp