systembc | e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9

Analysis

max time kernel
140s
max time network
79s
platform
windows7_x64
resource
win7v20201028
submitted
20-01-2021 14:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e7fb15093287d6e06313027be35bf6d.exe
Size

328KB
MD5

3e7fb15093287d6e06313027be35bf6d
SHA1

4cb59e23f295f7d58f47aae7dccff55d17269765
SHA256

e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9
SHA512

bd08fd6d1d594ebbb9c1f1977e0a36d646d9f9de79e2bd43d35530ced07a3998eef8013632870c44b60d68dafa3d8d6a9c540dfb31970be1896fd5105d9d4afe

Score

10^/10

systembc taurus discovery spyware stealer trojan upx

Malware Config

Extracted

Family

systembc

dl-link.network:4153

dl-link.club:4153

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1852-4-0x0000000000220000-0x0000000000256000-memory.dmp	family_taurus_stealer
behavioral1/memory/1852-5-0x0000000000400000-0x0000000000437000-memory.dmp	family_taurus_stealer

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

HldkfcCG.exeHldkfcCG.exepoetqh.exepoetqh.exe

pid process

840 HldkfcCG.exe
1964 HldkfcCG.exe
1016 poetqh.exe
1984 poetqh.exe

pid	process
840	HldkfcCG.exe
1964	HldkfcCG.exe
1016	poetqh.exe
1984	poetqh.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\HldkfcCG.exe	upx
\Users\Admin\AppData\Local\Temp\HldkfcCG.exe	upx
C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe	upx
C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe	upx
C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe	upx
C:\Windows\TEMP\poetqh.exe	upx
C:\Windows\Temp\poetqh.exe	upx
C:\Windows\Temp\poetqh.exe	upx

Loads dropped DLL 2 IoCs

Processes:

3e7fb15093287d6e06313027be35bf6d.exe

pid process

1852 3e7fb15093287d6e06313027be35bf6d.exe
1852 3e7fb15093287d6e06313027be35bf6d.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1852	3e7fb15093287d6e06313027be35bf6d.exe
1852	3e7fb15093287d6e06313027be35bf6d.exe

Drops file in Windows directory 5 IoCs

Processes:

poetqh.exeHldkfcCG.exeHldkfcCG.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wow64.job	poetqh.exe
File created	C:\Windows\Tasks\wow64.job	HldkfcCG.exe
File opened for modification	C:\Windows\Tasks\wow64.job	HldkfcCG.exe
File created	C:\Windows\Tasks\jivogjdvoharjctnfwp.job	HldkfcCG.exe
File created	C:\Windows\Tasks\wow64.job	poetqh.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

3e7fb15093287d6e06313027be35bf6d.exetaskeng.exe

description	pid	process	target process
PID 1852 wrote to memory of 840	1852	3e7fb15093287d6e06313027be35bf6d.exe	HldkfcCG.exe
PID 1852 wrote to memory of 840	1852	3e7fb15093287d6e06313027be35bf6d.exe	HldkfcCG.exe
PID 1852 wrote to memory of 840	1852	3e7fb15093287d6e06313027be35bf6d.exe	HldkfcCG.exe
PID 1852 wrote to memory of 840	1852	3e7fb15093287d6e06313027be35bf6d.exe	HldkfcCG.exe
PID 548 wrote to memory of 1964	548	taskeng.exe	HldkfcCG.exe
PID 548 wrote to memory of 1964	548	taskeng.exe	HldkfcCG.exe
PID 548 wrote to memory of 1964	548	taskeng.exe	HldkfcCG.exe
PID 548 wrote to memory of 1964	548	taskeng.exe	HldkfcCG.exe
PID 548 wrote to memory of 1016	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1016	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1016	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1016	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1984	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1984	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1984	548	taskeng.exe	poetqh.exe
PID 548 wrote to memory of 1984	548	taskeng.exe	poetqh.exe

C:\Users\Admin\AppData\Local\Temp\3e7fb15093287d6e06313027be35bf6d.exe
"C:\Users\Admin\AppData\Local\Temp\3e7fb15093287d6e06313027be35bf6d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
"C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:840

C:\Windows\system32\taskeng.exe
taskeng.exe {719C4B59-D72A-4328-B348-44DA80DB9F19} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964

C:\Windows\TEMP\poetqh.exe
C:\Windows\TEMP\poetqh.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016

C:\Windows\TEMP\poetqh.exe
C:\Windows\TEMP\poetqh.exe start
2⤵
- Executes dropped EXE
PID:1984

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Windows\TEMP\poetqh.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Windows\Tasks\wow64.job
MD5
c48ce74d5f3308b1cf3bef0d9a347b22

SHA1
be7101d519c2d2d8b9e66553c673f2619e75ef89

SHA256
d1761a40d0bca3479c2e6b27e837f32d6fb60108da38b1244450123ae1b5db51

SHA512
003d8e9844180d3373784e383e8db8aa6c99c9fad49fe1e9746ec71f8144ed94cdbca75ea99d650cf1376154253561959c1a183148cd7298465c7e0bf334da08

Download Submit
C:\Windows\Temp\poetqh.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Windows\Temp\poetqh.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
\Users\Admin\AppData\Local\Temp\HldkfcCG.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
memory/840-19-0x00000000048C0000-0x00000000048D1000-memory.dmp

Filesize
68KB

Download
memory/840-21-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/840-22-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/840-16-0x0000000000000000-mapping.dmp

Download
memory/1016-31-0x0000000000000000-mapping.dmp

Download
memory/1016-33-0x0000000004960000-0x0000000004971000-memory.dmp

Filesize
68KB

Download
memory/1852-2-0x0000000004880000-0x0000000004891000-memory.dmp

Filesize
68KB

Download
memory/1852-5-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1852-4-0x0000000000220000-0x0000000000256000-memory.dmp

Filesize
216KB

Download
memory/1852-3-0x00000000760F1000-0x00000000760F3000-memory.dmp

Filesize
8KB

Download
memory/1964-26-0x0000000004830000-0x0000000004841000-memory.dmp

Filesize
68KB

Download
memory/1964-24-0x0000000000000000-mapping.dmp

Download
memory/1984-38-0x0000000000000000-mapping.dmp

Download
memory/1984-40-0x0000000004740000-0x0000000004751000-memory.dmp

Filesize
68KB

Download
memory/2032-6-0x000007FEF6850000-0x000007FEF6ACA000-memory.dmp

Filesize
2.5MB

Download