Overview

overview

10

Static

static

3

1E31A6DE95...6F.exe

windows7-x64

10

1E31A6DE95...6F.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2024 11:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1E31A6DE957ADB7A23E155EF8E9F80E67DC763443053E0014FBA9E91F4EEBC6F.exe

  • Size

    240KB

  • MD5

    9ad0e9c3ba18150e9bb1176cd3cc5cfb

  • SHA1

    ca69a444c9bdb2b80411cd9ba8a3be06a87053c2

  • SHA256

    69b22d283fd4a6ce1c9f69f610449b016fdbb7ac1f8c23e199b3c72d7f75c61d

  • SHA512

    78af683bfb37d139a1cb3e3050b1a7075443197fec209d376aafdaa0694590de1a9103dd82725649dd4b35d7485e5b7a92f74d59a531ebe06fef513e15f3650b

  • SSDEEP

    1536:YzlKjIgWITA+dAGkDEQqrj0OzgFx3wyU0SyvmQm3ZH459VSypXoDzjD7GCq2iW7z:OlKjIbAUFzU0Scm13259VSypXAv/GCH

Score
10/10
systembcaspackv2discoverytrojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1E31A6DE957ADB7A23E155EF8E9F80E67DC763443053E0014FBA9E91F4EEBC6F.exe
    "C:\Users\Admin\AppData\Local\Temp\1E31A6DE957ADB7A23E155EF8E9F80E67DC763443053E0014FBA9E91F4EEBC6F.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Users\Admin\AppData\Local\Temp\CaEsb.exe
      C:\Users\Admin\AppData\Local\Temp\CaEsb.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\3b9813f2.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2908
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3003ECD1-5AB9-401B-A1E6-90B97AC1E5AC} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2612
    • C:\ProgramData\welds\unhsmqk.exe
      C:\ProgramData\welds\unhsmqk.exe start
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2680
      • C:\Windows\TEMP\CaEsb.exe
        C:\Windows\TEMP\CaEsb.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Windows\TEMP\46ad45e2.bat" "
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2988

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\welds\unhsmqk.exe
    Filesize

    240KB

    MD5

    9ad0e9c3ba18150e9bb1176cd3cc5cfb

    SHA1

    ca69a444c9bdb2b80411cd9ba8a3be06a87053c2

    SHA256

    69b22d283fd4a6ce1c9f69f610449b016fdbb7ac1f8c23e199b3c72d7f75c61d

    SHA512

    78af683bfb37d139a1cb3e3050b1a7075443197fec209d376aafdaa0694590de1a9103dd82725649dd4b35d7485e5b7a92f74d59a531ebe06fef513e15f3650b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3b9813f2.bat
    Filesize

    185B

    MD5

    7b509a509fe267a86cc260786282308a

    SHA1

    d02bd3f6706b18e3114b54f6f19584f5192f1eac

    SHA256

    a7f6695ad88e91392af899431a56eb13984186958d1ee56739d0f6f12c2d15d4

    SHA512

    38810daa4b5c69492593bbeaa912daaac0e04ba36fc9811604722b1fb7bf113d07ccfe88b12d7a8ced733a517aeae04425211481e64147bf611faf4bb255bf1b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CaEsb.exe
    Filesize

    15KB

    MD5

    f7d21de5c4e81341eccd280c11ddcc9a

    SHA1

    d4e9ef10d7685d491583c6fa93ae5d9105d815bd

    SHA256

    4485df22c627fa0bb899d79aa6ff29bc5be1dbc3caa2b7a490809338d54b7794

    SHA512

    e4553b86b083996038bacfb979ad0b86f578f95185d8efac34a77f6cc73e491d4f70e1449bbc9eb1d62f430800c1574101b270e1cb0eeed43a83049a79b636a3

    Download Submit

  • C:\Windows\Temp\46ad45e2.bat
    Filesize

    131B

    MD5

    dc195b1b473d67af38492736ee970f4e

    SHA1

    faa0dc194c8c52adb995aaa2639f892f0eb600e2

    SHA256

    6c58f86f4a432855fab37abf47ca4a6504242c88177e5a4bdfd8ba6c780be925

    SHA512

    e9d3625a2ef7fceccf44bb65daa828a54e39fca50ad982477751d9fc48004207195ff784b824c4ab521451ad54f2e4577fb2f2ae6eca652335c21e4ff95de3b3

    Download Submit

  • memory/1720-10-0x0000000000870000-0x0000000000879000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1720-33-0x0000000000870000-0x0000000000879000-memory.dmp

    Filesize

    36KB

    Download

  • memory/1740-52-0x0000000000080000-0x0000000000089000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2520-15-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2520-16-0x0000000000230000-0x0000000000239000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2520-35-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2520-17-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2520-1-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2520-9-0x0000000000870000-0x0000000000879000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2520-64-0x0000000000590000-0x0000000000690000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2680-51-0x0000000000020000-0x0000000000029000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2680-44-0x0000000000020000-0x0000000000029000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2680-66-0x0000000000400000-0x0000000000480000-memory.dmp

    Filesize

    512KB

    Download