Behavioral Report

max time kernel202s
max time network220s
platformwindows7_x64
resourcewin7-20220414-en
submitted12-05-2022 11:43

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

Filesize

247KB

Completed

12-05-2022 12:04

Task

behavioral1

Score

10^/10

MD5

aa00750f0df31493289bf07719cefd5e

SHA1

3c5b53cea10a28b955d1224ec2d293c639874593

SHA256

5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f

SHA256

cc679227e4e137885cfbf475e89f5832cbb3009b2e95aba661b6f2c973bc56672480e3c695daca6acf825fafcc8bc7e667ab92eb81da2d1aeb7d66deb55d7704

systembc trojan

Extracted

Family	systembc
C2	217.8.117.114:4062 213.159.213.225:4062 217.8.117.114:4062 213.159.213.225:4062

SystemBC

Description

SystemBC is a proxy and remote administration tool first seen in 2019.

Tags

trojan systembc
Executes dropped EXE
dxnbbe.exe

Reported IOCs

pid process

1324 dxnbbe.exe

pid	process
1324	dxnbbe.exe

Drops file in Windows directory

5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

Reported IOCs

description	ioc	process
File opened for modification	C:\Windows\Tasks\dxnbbe.job	5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe
File created	C:\Windows\Tasks\dxnbbe.job	5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

Suspicious behavior: EnumeratesProcesses
5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

Reported IOCs

pid process

956 5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

pid	process
956	5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

Suspicious use of WriteProcessMemory

taskeng.exe

Reported IOCs

description	pid	process	target process
PID 1408 wrote to memory of 1324	1408	taskeng.exe	dxnbbe.exe
PID 1408 wrote to memory of 1324	1408	taskeng.exe	dxnbbe.exe
PID 1408 wrote to memory of 1324	1408	taskeng.exe	dxnbbe.exe
PID 1408 wrote to memory of 1324	1408	taskeng.exe	dxnbbe.exe

C:\Users\Admin\AppData\Local\Temp\5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe

"C:\Users\Admin\AppData\Local\Temp\5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f.exe"

Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses

PID:956

C:\Windows\system32\taskeng.exe

taskeng.exe {BF5D225C-087D-4604-851F-43FDAC6B4977} S-1-5-18:NT AUTHORITY\System:Service:

Suspicious use of WriteProcessMemory

PID:1408

C:\ProgramData\bnwq\dxnbbe.exe

C:\ProgramData\bnwq\dxnbbe.exe start

Executes dropped EXE

PID:1324

Collection

Command and Control

Credential Access

Defense Evasion

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

C:\ProgramData\bnwq\dxnbbe.exe
MD5
aa00750f0df31493289bf07719cefd5e

SHA1
3c5b53cea10a28b955d1224ec2d293c639874593

SHA256
5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f

SHA512
cc679227e4e137885cfbf475e89f5832cbb3009b2e95aba661b6f2c973bc56672480e3c695daca6acf825fafcc8bc7e667ab92eb81da2d1aeb7d66deb55d7704

Download Submit
C:\ProgramData\bnwq\dxnbbe.exe
MD5
aa00750f0df31493289bf07719cefd5e

SHA1
3c5b53cea10a28b955d1224ec2d293c639874593

SHA256
5c947115e5de28bf753bdf423b76cec09ab76f339c62058392b603391cbf461f

SHA512
cc679227e4e137885cfbf475e89f5832cbb3009b2e95aba661b6f2c973bc56672480e3c695daca6acf825fafcc8bc7e667ab92eb81da2d1aeb7d66deb55d7704

Download Submit
memory/956-55-0x0000000000970000-0x0000000000980000-memory.dmp

Download
memory/956-57-0x0000000077040000-0x00000000771C0000-memory.dmp

Download
memory/956-58-0x00000000009D0000-0x00000000009DB000-memory.dmp

Download
memory/956-54-0x0000000075711000-0x0000000075713000-memory.dmp

Download
memory/1324-60-0x0000000000000000-mapping.dmp

Download

Extracted

Filter: none

Description

Tags

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title