Overview

overview

10

Static

static

3

random.exe

windows7-x64

7

random.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-01-2025 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    random.exe

  • Size

    1.2MB

  • MD5

    a50e232d3a5a725cf8324977ce2cc2ec

  • SHA1

    6f663cc2a2df04cab4e84048674d118742bf9b55

  • SHA256

    30fee1328110552c83645241f3ebbfb3e743182c9c08d5259cec20941c5c0f4a

  • SHA512

    60b4f15cfeaaa1dd3ffbbb7efc5750272c26d658767ca4d4e493d8c437a222502ec6f017b96155a80d6e9f7f54835880ff7018169ee24856b9c64befca7f06ef

  • SSDEEP

    24576:1dMkfr422JUVryvPAD37f3rZzKbCHS6F+dbAdpBzahM:zfrJWEyvPAnf3rZWmyIy

Score
10/10
systembcdiscoverytrojan

Malware Config

Extracted

Family

systembc

C2

wodresomdaymomentum.org

Attributes
  • dns

    5.132.191.104

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • SystemBC

    SystemBC is a proxy and remote administration tool first seen in 2019.

    trojansystembc
  • Systembc family
    systembc
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3436
      • C:\Users\Admin\AppData\Local\Temp\random.exe
        "C:\Users\Admin\AppData\Local\Temp\random.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops startup file
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2584
      • C:\Users\Admin\AppData\Local\Temp\random.exe
        "C:\Users\Admin\AppData\Local\Temp\random.exe"
        2⤵
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:3268
      • C:\ProgramData\hensrm\dwsufrg.exe
        "C:\ProgramData\hensrm\dwsufrg.exe"
        2⤵
        • Executes dropped EXE
        PID:4800
      • C:\ProgramData\hensrm\dwsufrg.exe
        "C:\ProgramData\hensrm\dwsufrg.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3920
    • C:\ProgramData\hensrm\dwsufrg.exe
      C:\ProgramData\hensrm\dwsufrg.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4868
    • C:\ProgramData\hensrm\dwsufrg.exe
      C:\ProgramData\hensrm\dwsufrg.exe
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4348

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\hensrm\dwsufrg.exe
      Filesize

      1.2MB

      MD5

      a50e232d3a5a725cf8324977ce2cc2ec

      SHA1

      6f663cc2a2df04cab4e84048674d118742bf9b55

      SHA256

      30fee1328110552c83645241f3ebbfb3e743182c9c08d5259cec20941c5c0f4a

      SHA512

      60b4f15cfeaaa1dd3ffbbb7efc5750272c26d658767ca4d4e493d8c437a222502ec6f017b96155a80d6e9f7f54835880ff7018169ee24856b9c64befca7f06ef

      Download Submit

    • C:\Windows\Tasks\Test Task17.job
      Filesize

      240B

      MD5

      3d97cf65670e6bbaf4cb12c139b822b5

      SHA1

      fa78727e478bf0ad1c52a5b60d47ee05b0a271c0

      SHA256

      a20f59f4a2a152d9c1fba3715b3aab784f0755115ec9bd1360fd7c68a674d14d

      SHA512

      9c442101ad4c17a4d5b54da50adaf1fa91ee2c13848f90d22163e8e9513d3f185ea833bec04b5aec0f6ab64d75515aefd6d472612d0efbab99c329419355f293

      Download Submit

    • memory/2584-0-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2584-1-0x0000000000740000-0x0000000000878000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2584-2-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2584-3-0x0000000005170000-0x000000000526E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/2584-4-0x0000000005320000-0x000000000541E000-memory.dmp

      Filesize

      1016KB

      Download

    • memory/2584-5-0x00000000059E0000-0x0000000005F84000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2584-6-0x0000000005530000-0x00000000055C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2584-20-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-28-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-62-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-70-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-68-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-66-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-64-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-60-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-58-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-56-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-54-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-52-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-50-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-46-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-44-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-42-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-40-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-38-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-36-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-34-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-32-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-30-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-26-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-24-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-23-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-18-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-16-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-14-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-12-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-10-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-8-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-48-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-7-0x0000000005320000-0x0000000005419000-memory.dmp

      Filesize

      996KB

      Download

    • memory/2584-1329-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2584-1330-0x0000000005620000-0x0000000005678000-memory.dmp

      Filesize

      352KB

      Download

    • memory/2584-1331-0x00000000057F0000-0x0000000005846000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2584-1332-0x0000000005850000-0x000000000589C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2584-1333-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2584-1334-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2584-1335-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2584-1336-0x00000000056C0000-0x0000000005714000-memory.dmp

      Filesize

      336KB

      Download

    • memory/2584-1342-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2584-1351-0x0000000002E78000-0x0000000002E79000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2584-1350-0x0000000002E2B000-0x0000000002E2C000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2584-1348-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2584-1354-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3268-1349-0x0000000000400000-0x0000000000407000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4868-1357-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4868-1358-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4868-2681-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4868-2682-0x0000000074F1E000-0x0000000074F1F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4868-2683-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4868-2684-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4868-2689-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4868-2695-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4868-2696-0x0000000074F10000-0x00000000756C0000-memory.dmp

      Filesize

      7.7MB

      Download