c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

General
Target

c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe

Filesize

259KB

Completed

29-11-2020 15:51

Score
10 /10
MD5

1f4928730be377f7affb80c3f5305883

SHA1

50b760064a237f123f0f06a846b78cf58713cad1

SHA256

c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

Malware Config
Signatures 4

Filter: none

  • SystemBC

    Description

    SystemBC is a proxy and remote administration tool first seen in 2019.

  • Executes dropped EXE
    chtugc.exe

    Reported IOCs

    pidprocess
    1504chtugc.exe
  • Drops file in Windows directory
    c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe

    Reported IOCs

    descriptioniocprocess
    File createdC:\Windows\Tasks\chtugc.jobc1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe
    File opened for modificationC:\Windows\Tasks\chtugc.jobc1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe
  • Suspicious use of WriteProcessMemory
    taskeng.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1224 wrote to memory of 15041224taskeng.exechtugc.exe
    PID 1224 wrote to memory of 15041224taskeng.exechtugc.exe
    PID 1224 wrote to memory of 15041224taskeng.exechtugc.exe
    PID 1224 wrote to memory of 15041224taskeng.exechtugc.exe
Processes 3
  • C:\Users\Admin\AppData\Local\Temp\c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe
    "C:\Users\Admin\AppData\Local\Temp\c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe"
    Drops file in Windows directory
    PID:748
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {F8305F25-EF87-4C8F-BB11-47EA250FEF4D} S-1-5-18:NT AUTHORITY\System:Service:
    Suspicious use of WriteProcessMemory
    PID:1224
    • C:\ProgramData\rghi\chtugc.exe
      C:\ProgramData\rghi\chtugc.exe start
      Executes dropped EXE
      PID:1504
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
          Discovery
            Execution
              Exfiltration
                Impact
                  Initial Access
                    Lateral Movement
                      Persistence
                        Privilege Escalation
                          Replay Monitor
                          00:00 00:00
                          Downloads
                          • C:\ProgramData\rghi\chtugc.exe

                            MD5

                            1f4928730be377f7affb80c3f5305883

                            SHA1

                            50b760064a237f123f0f06a846b78cf58713cad1

                            SHA256

                            c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

                            SHA512

                            58ecec71935ab0c490d1011da04aba3d694443b67c576421e6a9e4dc615a5f43b6ee84e2d9a3a48c2895fe28b94955604c2080de290b13ecc086127e5f4dfa54

                          • C:\ProgramData\rghi\chtugc.exe

                            MD5

                            1f4928730be377f7affb80c3f5305883

                            SHA1

                            50b760064a237f123f0f06a846b78cf58713cad1

                            SHA256

                            c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

                            SHA512

                            58ecec71935ab0c490d1011da04aba3d694443b67c576421e6a9e4dc615a5f43b6ee84e2d9a3a48c2895fe28b94955604c2080de290b13ecc086127e5f4dfa54

                          • memory/1504-3-0x0000000000000000-mapping.dmp