Malware Analysis Report

2025-05-05 23:59

Sample ID 230208-xr3z9adh5z
Target 40753d4f4ba5863be3aaaa38cd50995a.exe
SHA256 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02

Threat Level: Known bad

The file 40753d4f4ba5863be3aaaa38cd50995a.exe was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Executes dropped EXE

Looks up external IP address via web service

Uses Tor communications

Drops file in Windows directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-08 19:06

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-08 19:06

Reported

2023-02-08 19:08

Platform

win7-20221111-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"

Signatures

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\xwfbubo\nnigtj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A

Uses Tor communications

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\nnigtj.job C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A
File opened for modification C:\Windows\Tasks\nnigtj.job C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1056 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xwfbubo\nnigtj.exe
PID 1056 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xwfbubo\nnigtj.exe
PID 1056 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xwfbubo\nnigtj.exe
PID 1056 wrote to memory of 1492 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\xwfbubo\nnigtj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe

"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {979C1381-9E32-4842-BF1D-152D40824640} S-1-5-18:NT AUTHORITY\System:Service:

C:\ProgramData\xwfbubo\nnigtj.exe

C:\ProgramData\xwfbubo\nnigtj.exe start

Network

Country Destination Domain Proto
US 8.8.8.8:53 winstationsocks.com udp
US 8.8.8.8:53 winstationsocks.xyz udp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.76:443 api.ipify.org tcp
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
NL 194.109.206.212:80 tcp
US 128.31.0.34:9131 tcp
CA 199.58.81.140:80 199.58.81.140 tcp
DE 178.200.169.85:19003 tcp
DE 138.201.55.70:8443 tcp
TW 123.194.142.123:9030 123.194.142.123 tcp
CH 81.221.195.173:9001 tcp
NO 88.89.120.37:9001 tcp
DE 49.12.100.45:9001 tcp
DE 95.223.32.66:9002 95.223.32.66 tcp
CH 213.196.191.96:9080 tcp
IN 65.20.73.136:9001 tcp
GB 51.38.81.39:443 tcp
US 45.32.66.7:9001 tcp
AT 140.78.100.23:5443 tcp
DE 91.54.134.80:80 tcp
DE 78.46.202.212:9030 78.46.202.212 tcp
AT 140.78.100.26:5443 tcp
DE 164.68.113.187:34023 tcp
DE 91.89.221.166:9001 tcp
FR 45.145.166.104:9000 tcp
PL 173.232.194.19:443 tcp
DE 46.228.199.128:9001 tcp
RS 109.93.92.153:9030 109.93.92.153 tcp
DE 217.79.181.38:9001 tcp
SE 185.239.222.243:443 tcp
US 45.32.80.44:9001 tcp
LU 213.135.244.242:24071 tcp
FR 51.91.73.194:9030 51.91.73.194 tcp
NL 5.255.104.207:443 tcp
CZ 91.224.90.35:993 tcp
DE 194.36.144.87:9001 tcp
FR 51.77.245.88:9060 tcp
DE 89.163.128.25:443 tcp
US 23.239.22.248:9030 23.239.22.248 tcp
CA 144.217.87.28:9001 tcp
NL 51.15.120.162:9001 tcp
DE 212.227.206.135:443 tcp
DE 185.220.101.139:11139 tcp
FR 93.7.140.202:9002 tcp
US 45.79.70.219:9090 tcp
FI 185.193.126.10:443 tcp
NL 192.42.113.101:9002 tcp
US 209.141.36.65:9030 209.141.36.65 tcp
FR 82.65.165.202:9443 tcp
US 50.116.47.139:9030 50.116.47.139 tcp
CA 192.99.43.171:9001 tcp
DE 116.202.97.46:9001 tcp
GB 77.68.29.65:443 tcp
IT 95.230.122.163:443 tcp
FR 2.56.247.40:9100 tcp
FR 163.172.94.144:443 tcp
US 69.164.211.18:9090 tcp
US 45.61.185.38:55555 tcp
DE 88.130.23.141:9030 tcp
US 144.202.57.230:443 tcp
IS 93.95.231.124:9030 93.95.231.124 tcp
DE 173.212.239.78:9001 tcp
DE 217.160.13.173:6547 217.160.13.173 tcp
JP 14.9.101.224:8351 tcp
DE 81.169.255.125:9001 tcp
HU 91.219.237.160:9001 tcp
JP 150.43.248.29:443 tcp
MX 187.207.27.50:9130 187.207.27.50 tcp
RU 94.242.59.47:443 tcp
IT 158.58.173.209:8443 tcp
LU 107.189.30.210:7777 tcp
JP 172.104.79.222:80 tcp

Files

memory/2040-54-0x00000000002C8000-0x00000000002CF000-memory.dmp

memory/2040-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

memory/2040-57-0x0000000000020000-0x0000000000029000-memory.dmp

memory/2040-56-0x00000000002C8000-0x00000000002CF000-memory.dmp

memory/2040-58-0x0000000000400000-0x0000000000854000-memory.dmp

C:\ProgramData\xwfbubo\nnigtj.exe

MD5 40753d4f4ba5863be3aaaa38cd50995a
SHA1 cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA256 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA512 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad

memory/1492-60-0x0000000000000000-mapping.dmp

C:\ProgramData\xwfbubo\nnigtj.exe

MD5 40753d4f4ba5863be3aaaa38cd50995a
SHA1 cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA256 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA512 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad

memory/1492-62-0x00000000009A8000-0x00000000009AF000-memory.dmp

memory/1492-64-0x00000000009A8000-0x00000000009AF000-memory.dmp

memory/1492-65-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2040-66-0x00000000002C8000-0x00000000002CF000-memory.dmp

memory/1492-67-0x00000000009A8000-0x00000000009AF000-memory.dmp

memory/2040-68-0x00000000002C8000-0x00000000002CF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-08 19:06

Reported

2023-02-08 19:08

Platform

win10v2004-20220901-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"

Signatures

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vxvsqoo\gqrmwp.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\gqrmwp.job C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A
File opened for modification C:\Windows\Tasks\gqrmwp.job C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe

"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"

C:\ProgramData\vxvsqoo\gqrmwp.exe

C:\ProgramData\vxvsqoo\gqrmwp.exe start

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2148 -ip 2148

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2148 -s 484

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 20.42.73.25:443 tcp
US 8.8.8.8:53 winstationsocks.com udp
US 8.8.8.8:53 winstationsocks.xyz udp
US 8.8.8.8:53 api.ipify.org udp
US 173.231.16.76:443 api.ipify.org tcp
US 204.13.164.118:80 204.13.164.118 tcp
DE 195.201.147.230:9001 tcp
RU 85.143.214.143:21 85.143.214.143 tcp
FI 95.216.159.94:443 tcp
NL 82.197.215.30:9030 82.197.215.30 tcp
DE 185.220.101.139:11139 tcp
IN 206.189.132.95:9030 206.189.132.95 tcp
CH 213.144.142.24:9001 tcp
IT 95.238.36.233:9001 tcp
DE 116.203.195.42:9030 116.203.195.42 tcp
FI 65.21.251.26:443 tcp
DE 79.197.231.189:22154 79.197.231.189 tcp
KG 176.126.164.93:443 tcp
DE 37.120.177.211:9030 37.120.177.211 tcp
GB 89.191.217.1:9001 tcp
BG 85.91.153.163:9030 85.91.153.163 tcp
US 45.79.159.52:9001 tcp
US 209.141.61.36:9030 209.141.61.36 tcp
MD 37.221.65.168:8360 tcp
US 45.79.197.155:9030 45.79.197.155 tcp
IT 79.35.138.70:9001 tcp
UA 176.36.117.185:9030 176.36.117.185 tcp
DE 92.117.23.50:9001 tcp
US 64.98.231.29:9030 64.98.231.29 tcp
FI 65.21.50.48:443 tcp
CZ 89.203.249.226:9030 89.203.249.226 tcp
DE 193.26.156.87:9001 tcp
CA 208.92.194.252:995 208.92.194.252 tcp
SE 185.139.228.158:443 tcp
DE 213.139.243.21:9030 213.139.243.21 tcp
NL 178.62.222.199:9001 tcp
DE 149.233.248.147:9030 149.233.248.147 tcp
DE 93.177.67.43:9001 tcp
CA 192.160.102.170:80 192.160.102.170 tcp
DE 212.83.43.94:80 tcp
GB 176.58.110.66:9030 176.58.110.66 tcp
SE 92.34.148.151:9001 tcp
JP 219.100.161.101:9030 219.100.161.101 tcp
DE 91.5.160.178:9001 tcp
KR 13.124.18.130:9030 13.124.18.130 tcp
ES 88.6.186.252:9210 tcp
DE 24.134.234.17:9030 24.134.234.17 tcp
NL 213.108.108.136:443 tcp
US 23.126.9.217:9030 23.126.9.217 tcp
SE 185.239.222.243:443 tcp
DE 116.203.195.42:9030 116.203.195.42 tcp
IT 93.55.235.232:443 tcp
US 147.135.114.98:9001 tcp
NZ 131.203.32.146:9030 131.203.32.146 tcp
FR 137.74.119.109:9001 tcp
FI 65.21.246.132:9030 65.21.246.132 tcp
DE 75.119.156.62:9003 tcp
DE 84.158.122.230:9030 84.158.122.230 tcp
US 198.98.62.52:7777 tcp
US 108.51.27.74:9031 108.51.27.74 tcp
DE 130.61.220.149:2839 tcp
NL 193.178.169.149:9030 193.178.169.149 tcp
US 45.61.185.178:55555 tcp
DE 149.233.248.147:9030 149.233.248.147 tcp
FR 82.66.10.17:9001 tcp
FR 163.172.151.206:9030 163.172.151.206 tcp
FR 92.243.6.46:443 tcp
JP 116.80.46.130:10080 tcp
DE 85.10.240.250:443 tcp
DE 159.89.106.80:9030 159.89.106.80 tcp

Files

memory/2148-133-0x0000000000030000-0x0000000000039000-memory.dmp

memory/2148-132-0x00000000008E2000-0x00000000008E8000-memory.dmp

memory/2148-134-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2148-135-0x00000000008E2000-0x00000000008E8000-memory.dmp

C:\ProgramData\vxvsqoo\gqrmwp.exe

MD5 40753d4f4ba5863be3aaaa38cd50995a
SHA1 cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA256 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA512 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad

C:\ProgramData\vxvsqoo\gqrmwp.exe

MD5 40753d4f4ba5863be3aaaa38cd50995a
SHA1 cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA256 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA512 7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad

memory/2356-138-0x00000000009BD000-0x00000000009C4000-memory.dmp

memory/2356-139-0x0000000000400000-0x0000000000854000-memory.dmp

memory/2356-140-0x00000000009BD000-0x00000000009C4000-memory.dmp

memory/2148-141-0x00000000008E2000-0x00000000008E8000-memory.dmp