Analysis

  • max time kernel
    169s
  • max time network
    185s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2023 18:00

General

  • Target

    70bdc622d4ecb4da6eb1d3a5f98652ab.exe

  • Size

    90KB

  • MD5

    70bdc622d4ecb4da6eb1d3a5f98652ab

  • SHA1

    6be9177289178f1799ca1241a35e94d24089148e

  • SHA256

    f82516c78483b315b21307bcbecd66273dfa1963f3ffa9d2609df6341e00a95e

  • SHA512

    f04a3df175241f72c85c6eb4e447aebb8f8832d09327c9f80a661e318cb265bc7b7a0490575f9c80e3142e493fc95588d7cca4e4c230ce09b93ab535a6e66c39

  • SSDEEP

    1536:804f1SMHjZ0k/tB1g//I0DuoxbxAHscmbiMKoEYP34B53FgAMKgNqpdcLc:ef1BDZ0kVB67Duw9AMcmbiMEeIb3PFgK

Score
10/10

Malware Config

Extracted

Family

systembc

C2

80.85.84.79:4001

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Uses Tor communications 1 TTPs

    Malware can proxy its traffic through Tor for more anonymity.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\70bdc622d4ecb4da6eb1d3a5f98652ab.exe
    "C:\Users\Admin\AppData\Local\Temp\70bdc622d4ecb4da6eb1d3a5f98652ab.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Users\Admin\AppData\Local\Temp\70bdc622d4ecb4da6eb1d3a5f98652ab.exe
      "C:\Users\Admin\AppData\Local\Temp\70bdc622d4ecb4da6eb1d3a5f98652ab.exe"
      2⤵
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      PID:2728
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {789E334C-9763-41FC-8160-C5ABD4A36664} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1644
    • C:\ProgramData\hrsrvt\csxao.exe
      C:\ProgramData\hrsrvt\csxao.exe start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:364
      • C:\ProgramData\hrsrvt\csxao.exe
        C:\ProgramData\hrsrvt\csxao.exe start
        3⤵
        • Executes dropped EXE
        PID:1840
    • C:\ProgramData\hrsrvt\csxao.exe
      C:\ProgramData\hrsrvt\csxao.exe start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\ProgramData\hrsrvt\csxao.exe
        C:\ProgramData\hrsrvt\csxao.exe start
        3⤵
        • Executes dropped EXE
        PID:576

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\hrsrvt\csxao.exe

    Filesize

    90KB

    MD5

    70bdc622d4ecb4da6eb1d3a5f98652ab

    SHA1

    6be9177289178f1799ca1241a35e94d24089148e

    SHA256

    f82516c78483b315b21307bcbecd66273dfa1963f3ffa9d2609df6341e00a95e

    SHA512

    f04a3df175241f72c85c6eb4e447aebb8f8832d09327c9f80a661e318cb265bc7b7a0490575f9c80e3142e493fc95588d7cca4e4c230ce09b93ab535a6e66c39

  • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\523724207

    Filesize

    48KB

    MD5

    e2bcf3f4d1bf5cd55b8e2bcdea1bd3c5

    SHA1

    e80cdb0628b45ccdd2cab2055d740f24116d89c0

    SHA256

    636ea92e088c0deae15b2d6b60d5220882e6c6a758028686f65a285ee87b4a9c

    SHA512

    41cb08ad69b0628bd853407fd28a1c612cfe06245f799dd9f01486500abe625c3e872c0a70e666b487e7b7e3556650c5e2e873f1d56dc5d2d893aed4f1d794f0

  • \Users\Admin\AppData\Local\Temp\nsoB137.tmp\System.dll

    Filesize

    11KB

    MD5

    fccff8cb7a1067e23fd2e2b63971a8e1

    SHA1

    30e2a9e137c1223a78a0f7b0bf96a1c361976d91

    SHA256

    6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

    SHA512

    f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

  • memory/2728-7-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2728-9-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2728-11-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB