Overview

overview

10

Static

static

1

a2eaa3485a...de.exe

windows7-x64

10

a2eaa3485a...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-07-2024 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe

  • Size

    873KB

  • MD5

    7c14e45f1b37c59138cafd3173e7acd5

  • SHA1

    7ea141eb9f013e0dce8ee2b6a692153fefbcbb3a

  • SHA256

    a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de

  • SHA512

    52ce187cc850430f1710e898cf28a5f3a770f3a972f94f6c6c68c6e0042a5dd79b7451dbc95121dee4c0f005dbee2ccfa0aa8fc1850f3d66d7cd6c6c5a61490c

  • SSDEEP

    3072:LgfqAxp7Trv/hQjtXCIiXZUiq9UlRLTTFfD8:EfbfTbpOCVXzDLL/Fr8

Score
10/10
systembctrojan

Malware Config

Extracted

Family

systembc

C2

179.43.178.96:4141

192.168.1.149:4141

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe
    "C:\Users\Admin\AppData\Local\Temp\a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe"
    1⤵
    • Drops file in Windows directory
    PID:1000
  • C:\ProgramData\nhbtnhr\tcemeg.exe
    C:\ProgramData\nhbtnhr\tcemeg.exe start
    1⤵
    • Executes dropped EXE
    PID:1660
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault85268ba8h0ff8h4daah95fch3533a36cf69a
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1960
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff87d4b46f8,0x7ff87d4b4708,0x7ff87d4b4718
      2⤵
        PID:4704
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,15067306647538199269,1591156483110044515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
        2⤵
          PID:208
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,15067306647538199269,1591156483110044515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2700
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,15067306647538199269,1591156483110044515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
          2⤵
            PID:220
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:1616
          • C:\Windows\System32\CompPkgSrv.exe
            C:\Windows\System32\CompPkgSrv.exe -Embedding
            1⤵
              PID:668
            • C:\Windows\system32\SystemSettingsAdminFlows.exe
              "C:\Windows\system32\SystemSettingsAdminFlows.exe" FeaturedResetPC
              1⤵
              • Enumerates connected drives
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:2548
            • C:\Windows\System32\vdsldr.exe
              C:\Windows\System32\vdsldr.exe -Embedding
              1⤵
                PID:1088
              • C:\Windows\System32\vds.exe
                C:\Windows\System32\vds.exe
                1⤵
                • Checks SCSI registry key(s)
                PID:2236
              • C:\Windows\System32\rundll32.exe
                C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                1⤵
                  PID:2100

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\ProgramData\nhbtnhr\tcemeg.exe
                  Filesize

                  873KB

                  MD5

                  7c14e45f1b37c59138cafd3173e7acd5

                  SHA1

                  7ea141eb9f013e0dce8ee2b6a692153fefbcbb3a

                  SHA256

                  a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de

                  SHA512

                  52ce187cc850430f1710e898cf28a5f3a770f3a972f94f6c6c68c6e0042a5dd79b7451dbc95121dee4c0f005dbee2ccfa0aa8fc1850f3d66d7cd6c6c5a61490c

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                  Filesize

                  152B

                  MD5

                  9abb787f6c5a61faf4408f694e89b50e

                  SHA1

                  914247144868a2ff909207305255ab9bbca33d7e

                  SHA256

                  ecfd876b653319de412bf6be83bd824dda753b4d9090007231a335819d29ea07

                  SHA512

                  0f8139c45a7efab6de03fd9ebfe152e183ff155f20b03d4fac4a52cbbf8a3779302fed56facc9c7678a2dcf4f1ee89a26efd5bada485214edd9bf6b5cd238a55

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                  Filesize

                  5KB

                  MD5

                  b885bee0f95a1bce408421eb3ea145bd

                  SHA1

                  0011a2c33be7ac4d1b71f4cc5acbc604dd502605

                  SHA256

                  38759b9dd2fe232ffafcde42e10ece24b949e4ba1314646934c267b6cea4c215

                  SHA512

                  1ffecddb9f451776dbe574ac4f5d51292b4355fd1df1e99437f9b464581a50950f0434a4a1d4d55e2ba93241c843d6c280afc71a1ad21e1198734afa8c02c227

                  Download Submit

                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                  Filesize

                  8KB

                  MD5

                  56eb514d38bfff078477264827284b1d

                  SHA1

                  c5b9e2b96f912aec86ff9d364f8fdaa96ca7fac9

                  SHA256

                  ab32c69629674019db6e72aab0ddf6011c4b2e8382868975e6d6e9fa66e34273

                  SHA512

                  d70b6b63f24b80f901105592a3ea827a170bbed6bfd43b1ffd5cce37fb99f8664cf588255fa2eba9acc71dd1a7010983ff66bf6deaae54775661f07e85fd89e6

                  Download Submit

                • memory/1000-0-0x0000000002230000-0x0000000002235000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/1000-1-0x0000000000400000-0x0000000000407000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1000-2-0x0000000000400000-0x00000000004DB000-memory.dmp

                  Filesize

                  876KB

                  Download

                • memory/1000-11-0x0000000000400000-0x0000000000407000-memory.dmp

                  Filesize

                  28KB

                  Download

                • memory/1660-8-0x0000000000400000-0x00000000004DB000-memory.dmp

                  Filesize

                  876KB

                  Download