Resubmissions

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-06-2024 15:15

General

  • Target

    lrthijawd.exe

  • Size

    898KB

  • MD5

    1b1ecd323162c054864b63ada693cd71

  • SHA1

    333a67545a5d1aad4d73a3501f7152b4529b6b3e

  • SHA256

    902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

  • SHA512

    f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71

  • SSDEEP

    24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

Score
10/10

Malware Config

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
    "C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4472
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1208
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1768
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          PID:4984
  • C:\ProgramData\hdjr\ialj.exe
    C:\ProgramData\hdjr\ialj.exe start2
    1⤵
    • Executes dropped EXE
    PID:1544
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2804 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1700
    • C:\ProgramData\hdjr\ialj.exe
      C:\ProgramData\hdjr\ialj.exe start2
      1⤵
      • Executes dropped EXE
      PID:1208

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

      Filesize

      35B

      MD5

      ff59d999beb970447667695ce3273f75

      SHA1

      316fa09f467ba90ac34a054daf2e92e6e2854ff8

      SHA256

      065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

      SHA512

      d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

      Filesize

      453KB

      MD5

      405b7fbe8c0ed98620064f0cd80f24c4

      SHA1

      bb9e45038e8a9f7b7cd0db62858ac65c74b74821

      SHA256

      9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

      SHA512

      3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d

    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

      Filesize

      16KB

      MD5

      c661a77c31f83c413a96b5537ad31989

      SHA1

      8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

      SHA256

      cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

      SHA512

      b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa