systembc | f0c40cd7b07913d9ed925ebc130d4263850aeb2e16c32c47214d2b5989bbf4f5

General

Target

noxone.exe
Size

1.8MB
MD5

5a814594a50569a7d0a108f15a4372e0
SHA1

c14870a0e3b6f876dddcba34f5df00d7fe5438a9
SHA256

f0c40cd7b07913d9ed925ebc130d4263850aeb2e16c32c47214d2b5989bbf4f5
SHA512

5166099f1fe5bf31130b8d364dc0407bf7762341056b4639ab8430dc15356c8866b96b84d6ab6a66d380374b4607c4301acb39e8eb08c5063cb9f00994eebdfd
SSDEEP

49152:ocyNPK4Y1UJLBfIjNC3OIFjtSuiQpVKBuW:Mi/1UDfv317KBuW

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

45.81.225.72:4001

192.168.1.149:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

rocini mebeyabo noxone.exe

pid process

3712 rocini mebeyabo noxone.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

noxone.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation noxone.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rocini mebeyabo noxone.exe

description pid process target process

PID 3712 set thread context of 3332 3712 rocini mebeyabo noxone.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2564 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

856 PING.EXE

pid	process
3712	rocini mebeyabo noxone.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	noxone.exe

description	pid	process	target process
PID 3712 set thread context of 3332	3712	rocini mebeyabo noxone.exe	InstallUtil.exe

pid	process
2564	schtasks.exe

pid	process
856	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

noxone.exerocini mebeyabo noxone.exe

pid	process
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3224	noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe
3712	rocini mebeyabo noxone.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

noxone.execmd.exerocini mebeyabo noxone.exe

description	pid	process	target process
PID 3224 wrote to memory of 2564	3224	noxone.exe	schtasks.exe
PID 3224 wrote to memory of 2564	3224	noxone.exe	schtasks.exe
PID 3224 wrote to memory of 2564	3224	noxone.exe	schtasks.exe
PID 3224 wrote to memory of 3712	3224	noxone.exe	rocini mebeyabo noxone.exe
PID 3224 wrote to memory of 3712	3224	noxone.exe	rocini mebeyabo noxone.exe
PID 3224 wrote to memory of 3712	3224	noxone.exe	rocini mebeyabo noxone.exe
PID 3224 wrote to memory of 1308	3224	noxone.exe	cmd.exe
PID 3224 wrote to memory of 1308	3224	noxone.exe	cmd.exe
PID 3224 wrote to memory of 1308	3224	noxone.exe	cmd.exe
PID 1308 wrote to memory of 5032	1308	cmd.exe	chcp.com
PID 1308 wrote to memory of 5032	1308	cmd.exe	chcp.com
PID 1308 wrote to memory of 5032	1308	cmd.exe	chcp.com
PID 1308 wrote to memory of 856	1308	cmd.exe	PING.EXE
PID 1308 wrote to memory of 856	1308	cmd.exe	PING.EXE
PID 1308 wrote to memory of 856	1308	cmd.exe	PING.EXE
PID 3712 wrote to memory of 3332	3712	rocini mebeyabo noxone.exe	InstallUtil.exe
PID 3712 wrote to memory of 3332	3712	rocini mebeyabo noxone.exe	InstallUtil.exe
PID 3712 wrote to memory of 3332	3712	rocini mebeyabo noxone.exe	InstallUtil.exe
PID 3712 wrote to memory of 3332	3712	rocini mebeyabo noxone.exe	InstallUtil.exe
PID 3712 wrote to memory of 3332	3712	rocini mebeyabo noxone.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\noxone.exe
"C:\Users\Admin\AppData\Local\Temp\noxone.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3224

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Makip pake racotef pewina ligiya pofol kadoquif yerotel mad reyeg hexiyino\rocini mebeyabo noxone.exe"
2⤵
- Creates scheduled task(s)
PID:2564

C:\Users\Admin\Makip pake racotef pewina ligiya pofol kadoquif yerotel mad reyeg hexiyino\rocini mebeyabo noxone.exe
"C:\Users\Admin\Makip pake racotef pewina ligiya pofol kadoquif yerotel mad reyeg hexiyino\rocini mebeyabo noxone.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:3332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\noxone.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:5032

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Makip pake racotef pewina ligiya pofol kadoquif yerotel mad reyeg hexiyino\rocini mebeyabo noxone.exe
Filesize
387.4MB

MD5
b70f5b498611efb6c7718172e03a42da

SHA1
29a9f1672a9ff83afe2d7c909e1221f411960dbb

SHA256
7b35318dd58a2df89557d731c2ffa22f07cec27a85ff5963357a5373c360bb8c

SHA512
2f398ea5f81a48c34f181e534b5ce4f780b1c2e5f761fb248a2454cac3e04b132ea05d3ad3f1807532362f9b14c5ffd9995520de6b45915ecd8eacd9857641c4

Download Submit
C:\Users\Admin\Makip pake racotef pewina ligiya pofol kadoquif yerotel mad reyeg hexiyino\rocini mebeyabo noxone.exe
Filesize
392.8MB

MD5
74a1f32bdf8c9abbed0eb84969d67404

SHA1
d91d5aa1c6ad364eb7916d85cdf3cebb661891ab

SHA256
04b38ffc73ae0735532762733349ac5e7ca8d2dd34e8276fbbe845fa70517923

SHA512
aa0681dbf9754445416c99a4b02fbd281f343463728f8447a3e800caf945f6c85118481ede1662cbb016f269e1c689edcfeb10ef35c872a92bafdd39ee006519

Download Submit
memory/856-143-0x0000000000000000-mapping.dmp

Download
memory/1308-140-0x0000000000000000-mapping.dmp

Download
memory/2564-136-0x0000000000000000-mapping.dmp

Download
memory/3224-135-0x000000000301A000-0x00000000031A9000-memory.dmp

Filesize
1.6MB

Download
memory/3224-132-0x000000000268F000-0x0000000003007000-memory.dmp

Filesize
9.5MB

Download
memory/3224-134-0x000000000268F000-0x0000000003007000-memory.dmp

Filesize
9.5MB

Download
memory/3224-141-0x000000000301A000-0x00000000031A9000-memory.dmp

Filesize
1.6MB

Download
memory/3224-133-0x000000000301A000-0x00000000031A9000-memory.dmp

Filesize
1.6MB

Download
memory/3332-155-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3332-153-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3332-151-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3332-150-0x0000000000000000-mapping.dmp

Download
memory/3712-147-0x0000000002CAA000-0x0000000002E39000-memory.dmp

Filesize
1.6MB

Download
memory/3712-146-0x0000000002327000-0x0000000002C9F000-memory.dmp

Filesize
9.5MB

Download
memory/3712-148-0x0000000002780000-0x00000000027E9000-memory.dmp

Filesize
420KB

Download
memory/3712-149-0x0000000002780000-0x00000000027E9000-memory.dmp

Filesize
420KB

Download
memory/3712-145-0x0000000002CAA000-0x0000000002E39000-memory.dmp

Filesize
1.6MB

Download
memory/3712-144-0x0000000002327000-0x0000000002C9F000-memory.dmp

Filesize
9.5MB

Download
memory/3712-137-0x0000000000000000-mapping.dmp

Download
memory/3712-156-0x0000000002CAA000-0x0000000002E39000-memory.dmp

Filesize
1.6MB

Download
memory/5032-142-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads