Analysis
-
max time kernel
119s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
25-12-2022 07:49
General
-
Target
a0be0fc03b5e4097a0a60f89afd3ea9c.exe
-
Size
375KB
-
MD5
a0be0fc03b5e4097a0a60f89afd3ea9c
-
SHA1
dae6c080f184ffe61e62931084cef68a5e45dbb7
-
SHA256
71c37b1d53f487f7b8c025ab8b3aca6635e3d1555b5961a5c9b56bbbeca9888f
-
SHA512
0596fa6739a36d3505d821a7144ec90ed288a0b25667fdd5a0aad2491ba24c9118c55d4530d3636236685870c99c2603259cded573548b178d63f3c4c6cf851e
-
SSDEEP
6144:0bKbnMYcwtusRIUA3ku18D5kebj/juUe4WV5s+gVRfvV3PxD:0bgnFcoRIUMku18D9jrpzWV5JOfvhPd
Malware Config
Extracted
systembc
rupertok.su:4083
podisong.su:4083
Signatures
-
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
-
Executes dropped EXE 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0be0fc03b5e4097a0a60f89afd3ea9c.exe"C:\Users\Admin\AppData\Local\Temp\a0be0fc03b5e4097a0a60f89afd3ea9c.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\taskeng.exetaskeng.exe {167B7BA6-06B9-477A-A5A6-2F3846B2D114} S-1-5-21-3406023954-474543476-3319432036-1000:VUIIVLGQ\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\tqboeb\kxhbc.exeC:\ProgramData\tqboeb\kxhbc.exe start22⤵
- Executes dropped EXE
-
C:\ProgramData\tqboeb\kxhbc.exeC:\ProgramData\tqboeb\kxhbc.exe start22⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\tqboeb\kxhbc.exeFilesize
375KB
MD5a0be0fc03b5e4097a0a60f89afd3ea9c
SHA1dae6c080f184ffe61e62931084cef68a5e45dbb7
SHA25671c37b1d53f487f7b8c025ab8b3aca6635e3d1555b5961a5c9b56bbbeca9888f
SHA5120596fa6739a36d3505d821a7144ec90ed288a0b25667fdd5a0aad2491ba24c9118c55d4530d3636236685870c99c2603259cded573548b178d63f3c4c6cf851e
-
C:\ProgramData\tqboeb\kxhbc.exeFilesize
375KB
MD5a0be0fc03b5e4097a0a60f89afd3ea9c
SHA1dae6c080f184ffe61e62931084cef68a5e45dbb7
SHA25671c37b1d53f487f7b8c025ab8b3aca6635e3d1555b5961a5c9b56bbbeca9888f
SHA5120596fa6739a36d3505d821a7144ec90ed288a0b25667fdd5a0aad2491ba24c9118c55d4530d3636236685870c99c2603259cded573548b178d63f3c4c6cf851e
-
C:\ProgramData\tqboeb\kxhbc.exeFilesize
375KB
MD5a0be0fc03b5e4097a0a60f89afd3ea9c
SHA1dae6c080f184ffe61e62931084cef68a5e45dbb7
SHA25671c37b1d53f487f7b8c025ab8b3aca6635e3d1555b5961a5c9b56bbbeca9888f
SHA5120596fa6739a36d3505d821a7144ec90ed288a0b25667fdd5a0aad2491ba24c9118c55d4530d3636236685870c99c2603259cded573548b178d63f3c4c6cf851e
-
memory/604-58-0x0000000000400000-0x00000000062E4000-memory.dmpFilesize
94.9MB
-
memory/604-54-0x00000000064B3000-0x00000000064B9000-memory.dmpFilesize
24KB
-
memory/604-56-0x00000000064B3000-0x00000000064B9000-memory.dmpFilesize
24KB
-
memory/604-57-0x0000000000230000-0x0000000000235000-memory.dmpFilesize
20KB
-
memory/604-55-0x00000000757E1000-0x00000000757E3000-memory.dmpFilesize
8KB
-
memory/684-60-0x0000000000000000-mapping.dmp
-
memory/684-62-0x00000000063D3000-0x00000000063D9000-memory.dmpFilesize
24KB
-
memory/684-64-0x00000000063D3000-0x00000000063D9000-memory.dmpFilesize
24KB
-
memory/684-65-0x0000000000400000-0x00000000062E4000-memory.dmpFilesize
94.9MB
-
memory/1488-66-0x0000000000000000-mapping.dmp
-
memory/1488-68-0x00000000002D3000-0x00000000002D9000-memory.dmpFilesize
24KB
-
memory/1488-70-0x00000000002D3000-0x00000000002D9000-memory.dmpFilesize
24KB
-
memory/1488-71-0x0000000000400000-0x00000000062E4000-memory.dmpFilesize
94.9MB