Malware Analysis Report

2025-05-05 23:58

Sample ID 230209-yd4kasac34
Target D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
Tags
upx systembc discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a

Threat Level: Known bad

The file D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe was found to be: Known bad.

Malicious Activity Summary

upx systembc discovery trojan

SystemBC

UPX packed file

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-09 19:41

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-09 19:41

Reported

2023-02-09 19:43

Platform

win7-20220901-en

Max time kernel

125s

Max time network

53s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

Signatures

SystemBC

trojan systembc

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation C:\ProgramData\fbftbu\tivmkbf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\fbftbu\tivmkbf.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\tivmkbf.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A
File opened for modification C:\Windows\Tasks\tivmkbf.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\fbftbu\tivmkbf.exe
PID 1996 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\fbftbu\tivmkbf.exe
PID 1996 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\fbftbu\tivmkbf.exe
PID 1996 wrote to memory of 1476 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\fbftbu\tivmkbf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {9F2E5836-C30E-4689-A75E-B31E53FC36B4} S-1-5-21-4063495947-34355257-727531523-1000:RYNKSFQE\Admin:Interactive:[1]

C:\ProgramData\fbftbu\tivmkbf.exe

C:\ProgramData\fbftbu\tivmkbf.exe start2

Network

Country Destination Domain Proto
RU 62.204.41.4:80 tcp

Files

memory/1268-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

memory/1268-55-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1268-56-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1268-57-0x00000000722A1000-0x00000000722A3000-memory.dmp

memory/1268-58-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1268-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1268-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1268-61-0x0000000002160000-0x0000000002168000-memory.dmp

C:\ProgramData\fbftbu\tivmkbf.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/1476-63-0x0000000000000000-mapping.dmp

C:\ProgramData\fbftbu\tivmkbf.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/1476-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1476-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1476-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1268-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1476-73-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-09 19:41

Reported

2023-02-09 19:44

Platform

win10v2004-20220812-en

Max time kernel

151s

Max time network

165s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

Signatures

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\nceaa\wxbg.exe N/A
N/A N/A C:\ProgramData\nceaa\wxbg.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\wxbg.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A
File opened for modification C:\Windows\Tasks\wxbg.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

C:\ProgramData\nceaa\wxbg.exe

C:\ProgramData\nceaa\wxbg.exe start2

C:\ProgramData\nceaa\wxbg.exe

C:\ProgramData\nceaa\wxbg.exe start2

Network

Country Destination Domain Proto
US 117.18.237.29:80 tcp
US 117.18.232.200:443 tcp
N/A 224.0.0.251:5353 udp
US 52.182.141.63:443 tcp
US 93.184.221.240:80 tcp
US 8.247.210.126:80 tcp
US 93.184.221.240:80 tcp
US 204.79.197.200:443 tcp
US 8.8.8.8:53 164.2.77.40.in-addr.arpa udp
US 8.8.8.8:53 226.101.242.52.in-addr.arpa udp
US 8.8.8.8:53 0.e.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.4.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa udp
US 104.18.32.68:80 tcp

Files

memory/3444-132-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3444-133-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3444-134-0x00000000007B0000-0x00000000007B8000-memory.dmp

memory/3444-135-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3444-136-0x00000000007B0000-0x00000000007B8000-memory.dmp

C:\ProgramData\nceaa\wxbg.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

C:\ProgramData\nceaa\wxbg.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/4792-139-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4792-140-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4792-141-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3444-142-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4792-143-0x0000000000400000-0x0000000000471000-memory.dmp

C:\ProgramData\nceaa\wxbg.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/60-145-0x0000000000400000-0x0000000000471000-memory.dmp