Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2023 00:28

General

  • Target

    82cf051811579ee4f1d9978af52f12db.exe

  • Size

    2.4MB

  • MD5

    82cf051811579ee4f1d9978af52f12db

  • SHA1

    34122975ea9238001cb644955a1474f4d33f9e7b

  • SHA256

    2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

  • SHA512

    1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73

  • SSDEEP

    49152:M32RUvjn/TCGDQiMDpU/Sb8HDWSrbmnidPtrmEKhPlGRr4g0aQ7svt/:nyn/+GDhOcSb8HDhrK8rtGlGRr4+

Score
10/10

Malware Config

Extracted

Family

systembc

C2

ar.undata.cc:5320

ar1.undata.cc:5320

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3188
      • C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe
        "C:\Users\Admin\AppData\Local\Temp\82cf051811579ee4f1d9978af52f12db.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4680
      • C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
        "C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:4004
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\SysWOW64\cmd.exe"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:1048
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\SysWOW64\explorer.exe"
            4⤵
              PID:4932

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\177cc9b9

        Filesize

        436KB

        MD5

        9d0cafebbeade7e4521820df518fd5e7

        SHA1

        65a8390ebdca1fa884983c1b7a5ec8990032c1e9

        SHA256

        963731b9ca2ea6bc26bce33055dc2d05e86bd4afeb1704b6e350e79c3effcb44

        SHA512

        b3b9812dff93821b7c8f85b6bf2788752333731b1da8b15ae6cd5d4a1ffbca9091387fdbc6500850fa1afa5f34726c6a72a68cfd877a86cfd2ac746c4105aa8b

      • C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

        Filesize

        168KB

        MD5

        aef6452711538d9021f929a2a5f633cf

        SHA1

        205b7fab75e77d1ff123991489462d39128e03f6

        SHA256

        e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

        SHA512

        7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

      • C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe

        Filesize

        168KB

        MD5

        aef6452711538d9021f929a2a5f633cf

        SHA1

        205b7fab75e77d1ff123991489462d39128e03f6

        SHA256

        e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

        SHA512

        7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

      • C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll

        Filesize

        106KB

        MD5

        815b07c37c83b13457d37ca8c6a7a561

        SHA1

        746138b85e5611fd058c008411889a15870083cd

        SHA256

        153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

        SHA512

        8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

      • C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll

        Filesize

        106KB

        MD5

        815b07c37c83b13457d37ca8c6a7a561

        SHA1

        746138b85e5611fd058c008411889a15870083cd

        SHA256

        153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

        SHA512

        8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

      • C:\Users\Admin\AppData\Roaming\activeds\MDb.dll

        Filesize

        205KB

        MD5

        be1262b27ff4a4349b337cc95b7746e7

        SHA1

        a88b9a167baedbaef047b862caecb8206548c2f6

        SHA256

        ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

        SHA512

        d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

      • C:\Users\Admin\AppData\Roaming\activeds\MDb.dll

        Filesize

        205KB

        MD5

        be1262b27ff4a4349b337cc95b7746e7

        SHA1

        a88b9a167baedbaef047b862caecb8206548c2f6

        SHA256

        ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

        SHA512

        d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

      • C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll

        Filesize

        219KB

        MD5

        ab9ee0529bab6495e65bf7d25c2476a2

        SHA1

        4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f

        SHA256

        4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9

        SHA512

        05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

      • C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll

        Filesize

        219KB

        MD5

        ab9ee0529bab6495e65bf7d25c2476a2

        SHA1

        4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f

        SHA256

        4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9

        SHA512

        05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

      • C:\Users\Admin\AppData\Roaming\activeds\MSVCP71.dll

        Filesize

        488KB

        MD5

        561fa2abb31dfa8fab762145f81667c2

        SHA1

        c8ccb04eedac821a13fae314a2435192860c72b8

        SHA256

        df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

        SHA512

        7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

      • C:\Users\Admin\AppData\Roaming\activeds\MSVCR71.dll

        Filesize

        340KB

        MD5

        86f1895ae8c5e8b17d99ece768a70732

        SHA1

        d5502a1d00787d68f548ddeebbde1eca5e2b38ca

        SHA256

        8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

        SHA512

        3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

      • C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

        Filesize

        824KB

        MD5

        60a5383ba17d8f519cb4356e28873a14

        SHA1

        6bf70393d957320a921226c7fcdf352a0a67442d

        SHA256

        80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

        SHA512

        a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

      • C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

        Filesize

        824KB

        MD5

        60a5383ba17d8f519cb4356e28873a14

        SHA1

        6bf70393d957320a921226c7fcdf352a0a67442d

        SHA256

        80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

        SHA512

        a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

      • C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll

        Filesize

        824KB

        MD5

        60a5383ba17d8f519cb4356e28873a14

        SHA1

        6bf70393d957320a921226c7fcdf352a0a67442d

        SHA256

        80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

        SHA512

        a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

      • C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

        Filesize

        385KB

        MD5

        97d6efb8b8e0b0f03701a7bafc398545

        SHA1

        0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

        SHA256

        51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

        SHA512

        2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

      • C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

        Filesize

        385KB

        MD5

        97d6efb8b8e0b0f03701a7bafc398545

        SHA1

        0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

        SHA256

        51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

        SHA512

        2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

      • C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll

        Filesize

        385KB

        MD5

        97d6efb8b8e0b0f03701a7bafc398545

        SHA1

        0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

        SHA256

        51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

        SHA512

        2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

      • C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

        Filesize

        619KB

        MD5

        6da9a492898b66db78f5c9d3fc7ecc64

        SHA1

        d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

        SHA256

        50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

        SHA512

        11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

      • C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll

        Filesize

        619KB

        MD5

        6da9a492898b66db78f5c9d3fc7ecc64

        SHA1

        d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

        SHA256

        50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

        SHA512

        11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

      • C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

        Filesize

        764KB

        MD5

        4f27d1bacaf09d1919484355b341c868

        SHA1

        f1be78d484235270a1416c6acb20e2915ae050db

        SHA256

        12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

        SHA512

        328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

      • C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

        Filesize

        764KB

        MD5

        4f27d1bacaf09d1919484355b341c868

        SHA1

        f1be78d484235270a1416c6acb20e2915ae050db

        SHA256

        12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

        SHA512

        328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

      • C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

        Filesize

        764KB

        MD5

        4f27d1bacaf09d1919484355b341c868

        SHA1

        f1be78d484235270a1416c6acb20e2915ae050db

        SHA256

        12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

        SHA512

        328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

      • C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll

        Filesize

        764KB

        MD5

        4f27d1bacaf09d1919484355b341c868

        SHA1

        f1be78d484235270a1416c6acb20e2915ae050db

        SHA256

        12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

        SHA512

        328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

      • C:\Users\Admin\AppData\Roaming\activeds\msvcp71.dll

        Filesize

        488KB

        MD5

        561fa2abb31dfa8fab762145f81667c2

        SHA1

        c8ccb04eedac821a13fae314a2435192860c72b8

        SHA256

        df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

        SHA512

        7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

      • C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll

        Filesize

        340KB

        MD5

        86f1895ae8c5e8b17d99ece768a70732

        SHA1

        d5502a1d00787d68f548ddeebbde1eca5e2b38ca

        SHA256

        8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

        SHA512

        3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

      • C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll

        Filesize

        340KB

        MD5

        86f1895ae8c5e8b17d99ece768a70732

        SHA1

        d5502a1d00787d68f548ddeebbde1eca5e2b38ca

        SHA256

        8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

        SHA512

        3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

      • C:\Users\Admin\AppData\Roaming\activeds\shallop.wmv

        Filesize

        312KB

        MD5

        983058d5482f9477c6b4fe17faef85db

        SHA1

        00d43c0588c8c88c9076b911d65d94d0b0913b69

        SHA256

        d3b79dee1b597a1901e7c7721b8019b79e555495d234056a85bbf0d7b1fc83a2

        SHA512

        d8a5589c890faf88dfac93c3f1d4818a6d20db5bd7830366c49247ec20426605c4c4b868eca4e0729a01f56dce3c87bfbe379d2c50f9bf5ffef3afcc50f8163a

      • C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll

        Filesize

        244KB

        MD5

        d145903e217ddde20ce32ed9e5074e16

        SHA1

        bdb3265d872f446d7445aae4f2d0beba5dae3bd8

        SHA256

        9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

        SHA512

        00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

      • C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll

        Filesize

        244KB

        MD5

        d145903e217ddde20ce32ed9e5074e16

        SHA1

        bdb3265d872f446d7445aae4f2d0beba5dae3bd8

        SHA256

        9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

        SHA512

        00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

      • memory/1048-51-0x00007FFA14B30000-0x00007FFA14D25000-memory.dmp

        Filesize

        2.0MB

      • memory/1048-49-0x00000000739E0000-0x0000000074C34000-memory.dmp

        Filesize

        18.3MB

      • memory/4004-41-0x0000000000A00000-0x0000000000A63000-memory.dmp

        Filesize

        396KB

      • memory/4004-44-0x0000000000A70000-0x0000000000B41000-memory.dmp

        Filesize

        836KB

      • memory/4004-47-0x00000000739E0000-0x0000000074C34000-memory.dmp

        Filesize

        18.3MB

      • memory/4680-1-0x00000000742C0000-0x0000000074551000-memory.dmp

        Filesize

        2.6MB

      • memory/4932-53-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/4932-54-0x00007FFA14B30000-0x00007FFA14D25000-memory.dmp

        Filesize

        2.0MB

      • memory/4932-55-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/4932-56-0x0000000000D30000-0x0000000001163000-memory.dmp

        Filesize

        4.2MB

      • memory/4932-57-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB

      • memory/4932-58-0x0000000000400000-0x0000000000408000-memory.dmp

        Filesize

        32KB