Malware Analysis Report

2024-11-13 17:16

Sample ID 231209-wdd9ashgbq
Target 96A3EA4BC09BBA5437EF00C758924CAE.exe
SHA256 5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a
Tags
systembc persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ff19009b6f29952af3ad9e7edf22377abbdca476b9bb945f1b3b057c8b84e3a

Threat Level: Known bad

The file 96A3EA4BC09BBA5437EF00C758924CAE.exe was found to be: Known bad.

Malicious Activity Summary

systembc persistence trojan

SystemBC

Adds Run key to start application

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-09 17:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-09 17:48

Reported

2023-12-09 17:50

Platform

win7-20231023-en

Max time kernel

118s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"

Signatures

SystemBC

trojan systembc

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZillaUpdater = "C:\\Users\\Admin\\AppData\\Local\\ZillaUpdater.exe" C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2020 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 2020 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"

C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wprogs.top udp
US 5.161.74.235:4001 wprogs.top tcp

Files

memory/2020-0-0x0000000000370000-0x00000000003E4000-memory.dmp

memory/2020-1-0x0000000074600000-0x0000000074CEE000-memory.dmp

memory/2020-2-0x0000000001EA0000-0x0000000001EE0000-memory.dmp

memory/2020-3-0x0000000001E60000-0x0000000001EA6000-memory.dmp

memory/2020-4-0x0000000003FF0000-0x000000000401E000-memory.dmp

memory/2020-5-0x0000000004020000-0x000000000404E000-memory.dmp

memory/2020-6-0x0000000004570000-0x00000000045BC000-memory.dmp

memory/2600-8-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2600-10-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2600-12-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2600-14-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2600-16-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2600-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2600-20-0x0000000000400000-0x0000000000407000-memory.dmp

memory/2020-23-0x0000000074600000-0x0000000074CEE000-memory.dmp

memory/2600-22-0x0000000000400000-0x0000000000407000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-09 17:48

Reported

2023-12-09 17:50

Platform

win10v2004-20231127-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"

Signatures

SystemBC

trojan systembc

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ZillaUpdater = "C:\\Users\\Admin\\AppData\\Local\\ZillaUpdater.exe" C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1648 set thread context of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe
PID 1648 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

Processes

C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

"C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe"

C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

C:\Users\Admin\AppData\Local\Temp\96A3EA4BC09BBA5437EF00C758924CAE.exe

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 48.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.117.223.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 89.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 80.254.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.99.217.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 147.255.221.88.in-addr.arpa udp
US 8.8.8.8:53 wprogs.top udp
US 5.161.74.235:4001 wprogs.top tcp
US 8.8.8.8:53 235.74.161.5.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/1648-0-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1648-1-0x0000000000B30000-0x0000000000BA4000-memory.dmp

memory/1648-2-0x0000000005990000-0x0000000005F34000-memory.dmp

memory/1648-3-0x0000000005480000-0x0000000005512000-memory.dmp

memory/1648-4-0x0000000005430000-0x0000000005440000-memory.dmp

memory/1648-5-0x0000000005520000-0x000000000552A000-memory.dmp

memory/1648-6-0x00000000055A0000-0x00000000055E6000-memory.dmp

memory/1648-7-0x0000000005700000-0x000000000572E000-memory.dmp

memory/1648-8-0x0000000005730000-0x000000000575E000-memory.dmp

memory/1648-9-0x00000000057A0000-0x00000000057EC000-memory.dmp

memory/1648-10-0x0000000005880000-0x00000000058E6000-memory.dmp

memory/1548-12-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1548-15-0x0000000000400000-0x0000000000407000-memory.dmp

memory/1648-16-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/1644-17-0x000001F8FA640000-0x000001F8FA650000-memory.dmp

memory/1644-33-0x000001F8FA740000-0x000001F8FA750000-memory.dmp

memory/1644-49-0x000001F8FED20000-0x000001F8FED21000-memory.dmp

memory/1644-50-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-51-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-52-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-53-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-54-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-55-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-56-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-57-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-58-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-59-0x000001F8FED40000-0x000001F8FED41000-memory.dmp

memory/1644-60-0x000001F8FE970000-0x000001F8FE971000-memory.dmp

memory/1644-61-0x000001F8FE960000-0x000001F8FE961000-memory.dmp

memory/1644-63-0x000001F8FE970000-0x000001F8FE971000-memory.dmp

memory/1644-66-0x000001F8FE960000-0x000001F8FE961000-memory.dmp

memory/1644-69-0x000001F8FE8A0000-0x000001F8FE8A1000-memory.dmp

memory/1644-81-0x000001F8FEAA0000-0x000001F8FEAA1000-memory.dmp

memory/1644-83-0x000001F8FEAB0000-0x000001F8FEAB1000-memory.dmp

memory/1644-84-0x000001F8FEAB0000-0x000001F8FEAB1000-memory.dmp

memory/1644-85-0x000001F8FEBC0000-0x000001F8FEBC1000-memory.dmp