systembc | 7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d

Analysis

max time kernel
147s
max time network
318s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
03-12-2022 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
Size

1.3MB
MD5

74079c12b9f2aac6e8c6589d02a61bae
SHA1

f3ee1c95814a8bb9f4924219820e84c8b63928b1
SHA256

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d
SHA512

90a11fd92bab604b2d86a7b0b84b15dc60b68fc8979434930e86e3e7f57eea436ae21f5685ddf8ba9f3f3847ec397340015f32de314f7993e39dcd9b0a7d9e9c
SSDEEP

24576:ZmMuVE/AnaKAHh6akEKtkZf/UUsdAIAtJmzbN9RpMm/fi+oaWuBX/5:ZmMuGJ6nEKqJJxIoJmt97tfi+oa5Bv5

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

89.22.236.225:4193

176.124.205.5:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

pid process

3416 Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

description pid process target process

PID 3416 set thread context of 3184 3416 Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe ngentask.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4268 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3580 PING.EXE

pid	process
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

description	pid	process	target process
PID 3416 set thread context of 3184	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe

pid	process
4268	schtasks.exe

pid	process
3580	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exeXigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

pid	process
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.execmd.exeXigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe

description	pid	process	target process
PID 3880 wrote to memory of 4268	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 3880 wrote to memory of 4268	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 3880 wrote to memory of 4268	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	schtasks.exe
PID 3880 wrote to memory of 3416	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 3880 wrote to memory of 3416	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 3880 wrote to memory of 3416	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
PID 3880 wrote to memory of 4460	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 3880 wrote to memory of 4460	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 3880 wrote to memory of 4460	3880	7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe	cmd.exe
PID 4460 wrote to memory of 4408	4460	cmd.exe	chcp.com
PID 4460 wrote to memory of 4408	4460	cmd.exe	chcp.com
PID 4460 wrote to memory of 4408	4460	cmd.exe	chcp.com
PID 4460 wrote to memory of 3580	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 3580	4460	cmd.exe	PING.EXE
PID 4460 wrote to memory of 3580	4460	cmd.exe	PING.EXE
PID 3416 wrote to memory of 3048	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3048	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3048	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 5076	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 5076	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 5076	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3184	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3184	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3184	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3184	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe
PID 3416 wrote to memory of 3184	3416	Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe	ngentask.exe

C:\Users\Admin\AppData\Local\Temp\7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe
"C:\Users\Admin\AppData\Local\Temp\7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe"
2⤵
- Creates scheduled task(s)
PID:4268

C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
"C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:5076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:3184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\7b6637b2e136f7d7faa5d8a860e7849896ce548a6681840df2adacb23808782d.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4408

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
Filesize
798.3MB

MD5
07ba3ecfa31a23d0fcb9e8c0a5b98c34

SHA1
a09c1de75a724f3df3acfbb2b4750b169cbbc9b0

SHA256
abb42e8370198091c38f7810ad3e36dc08af47e14d216b7a6111df9c5af35984

SHA512
4cec0f6ab8b8d639daebc0ce79a75d389cd022e10dad7282c326496c31d2c2ffd3fee89c1f7e39653e22dd3aea0410c389ee3093a0ccc19e23fe48096660a8eb

Download Submit
C:\Users\Admin\Vika\Xigir soveh kipanal rabapa xaqu nahiniy vakexo gav.exe
Filesize
798.3MB

MD5
07ba3ecfa31a23d0fcb9e8c0a5b98c34

SHA1
a09c1de75a724f3df3acfbb2b4750b169cbbc9b0

SHA256
abb42e8370198091c38f7810ad3e36dc08af47e14d216b7a6111df9c5af35984

SHA512
4cec0f6ab8b8d639daebc0ce79a75d389cd022e10dad7282c326496c31d2c2ffd3fee89c1f7e39653e22dd3aea0410c389ee3093a0ccc19e23fe48096660a8eb

Download Submit
memory/3184-332-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3416-183-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3416-181-0x0000000000000000-mapping.dmp

Download
memory/3416-336-0x0000000011EE0000-0x0000000011F73000-memory.dmp

Filesize
588KB

Download
memory/3416-331-0x00000000067A0000-0x00000000068A4000-memory.dmp

Filesize
1.0MB

Download
memory/3416-286-0x0000000011EE0000-0x0000000011F73000-memory.dmp

Filesize
588KB

Download
memory/3416-260-0x00000000067A0000-0x00000000068A4000-memory.dmp

Filesize
1.0MB

Download
memory/3580-234-0x0000000000000000-mapping.dmp

Download
memory/3880-148-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-153-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-122-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-123-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-124-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-125-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-126-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-127-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-128-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-129-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-130-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-131-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-132-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-133-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-134-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-135-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-136-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-137-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-138-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-139-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-140-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-141-0x0000000006950000-0x0000000006A4D000-memory.dmp

Filesize
1012KB

Download
memory/3880-142-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-143-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-144-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-145-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-146-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-147-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-120-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-149-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-150-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-151-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-152-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-121-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-154-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-155-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-156-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-157-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-158-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-159-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-160-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-161-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-162-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-163-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-164-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-165-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-166-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-167-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-168-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-169-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-170-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-171-0x0000000006950000-0x0000000006A4D000-memory.dmp

Filesize
1012KB

Download
memory/3880-172-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-173-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-174-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-175-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-115-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-116-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-117-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-118-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/3880-119-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4268-180-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4268-179-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4268-178-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4268-177-0x0000000076EC0000-0x000000007704E000-memory.dmp

Filesize
1.6MB

Download
memory/4268-176-0x0000000000000000-mapping.dmp

Download
memory/4408-225-0x0000000000000000-mapping.dmp

Download
memory/4460-189-0x0000000000000000-mapping.dmp

Download