Analysis

  • max time kernel
    119s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-06-2024 14:34

General

  • Target

    902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe

  • Size

    898KB

  • MD5

    1b1ecd323162c054864b63ada693cd71

  • SHA1

    333a67545a5d1aad4d73a3501f7152b4529b6b3e

  • SHA256

    902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

  • SHA512

    f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71

  • SSDEEP

    24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

Score
10/10

Malware Config

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe
    "C:\Users\Admin\AppData\Local\Temp\902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2956
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
        work.exe -priverdD
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          PID:2464
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {5DB2EDB9-642A-463B-943D-5BE6EECC8208} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\ProgramData\pkot\huvegw.exe
      C:\ProgramData\pkot\huvegw.exe start2
      2⤵
      • Executes dropped EXE
      PID:2348
    • C:\ProgramData\pkot\huvegw.exe
      C:\ProgramData\pkot\huvegw.exe start2
      2⤵
      • Executes dropped EXE
      PID:1640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

    Filesize

    35B

    MD5

    ff59d999beb970447667695ce3273f75

    SHA1

    316fa09f467ba90ac34a054daf2e92e6e2854ff8

    SHA256

    065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

    SHA512

    d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

  • C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

    Filesize

    16KB

    MD5

    c661a77c31f83c413a96b5537ad31989

    SHA1

    8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

    SHA256

    cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

    SHA512

    b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

  • \??\PIPE\srvsvc

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • \Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

    Filesize

    453KB

    MD5

    405b7fbe8c0ed98620064f0cd80f24c4

    SHA1

    bb9e45038e8a9f7b7cd0db62858ac65c74b74821

    SHA256

    9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

    SHA512

    3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d