Malware Analysis Report

2025-05-05 23:59

Sample ID 230209-yemyyaac63
Target D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
Tags
upx systembc discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a

Threat Level: Known bad

The file D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe was found to be: Known bad.

Malicious Activity Summary

upx systembc discovery trojan

SystemBC

UPX packed file

Checks computer location settings

Executes dropped EXE

Checks installed software on the system

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-09 19:42

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-09 19:42

Reported

2023-02-09 19:45

Platform

win7-20221111-en

Max time kernel

141s

Max time network

31s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

Signatures

SystemBC

trojan systembc

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation C:\ProgramData\nhshc\icsadgk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\nhshc\icsadgk.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\icsadgk.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A
File opened for modification C:\Windows\Tasks\icsadgk.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 668 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nhshc\icsadgk.exe
PID 668 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nhshc\icsadgk.exe
PID 668 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nhshc\icsadgk.exe
PID 668 wrote to memory of 1104 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nhshc\icsadgk.exe

Processes

C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D8796D4B-D062-4775-8E5C-D02BCE3D3152} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]

C:\ProgramData\nhshc\icsadgk.exe

C:\ProgramData\nhshc\icsadgk.exe start2

Network

N/A

Files

memory/1776-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

memory/1776-55-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1776-56-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1776-57-0x0000000072481000-0x0000000072483000-memory.dmp

memory/1776-58-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1776-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/1776-60-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1776-61-0x0000000002090000-0x0000000002098000-memory.dmp

C:\ProgramData\nhshc\icsadgk.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

C:\ProgramData\nhshc\icsadgk.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/1104-63-0x0000000000000000-mapping.dmp

memory/1104-66-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1104-67-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1104-71-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1776-72-0x0000000000400000-0x0000000000471000-memory.dmp

memory/1104-73-0x0000000000400000-0x0000000000471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-09 19:42

Reported

2023-02-09 19:46

Platform

win10v2004-20221111-en

Max time kernel

200s

Max time network

204s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

Signatures

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\csrdrr\uxxqmep.exe N/A
N/A N/A C:\ProgramData\csrdrr\uxxqmep.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\uxxqmep.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A
File opened for modification C:\Windows\Tasks\uxxqmep.job C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"

C:\ProgramData\csrdrr\uxxqmep.exe

C:\ProgramData\csrdrr\uxxqmep.exe start2

C:\ProgramData\csrdrr\uxxqmep.exe

C:\ProgramData\csrdrr\uxxqmep.exe start2

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
NL 104.80.225.205:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
N/A 224.0.0.251:5353 udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 97.97.242.52.in-addr.arpa udp

Files

memory/3472-132-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3472-133-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3472-134-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3472-135-0x0000000000B40000-0x0000000000B48000-memory.dmp

C:\ProgramData\csrdrr\uxxqmep.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

C:\ProgramData\csrdrr\uxxqmep.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/4172-138-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4172-139-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4172-140-0x0000000000400000-0x0000000000471000-memory.dmp

memory/3472-141-0x0000000000400000-0x0000000000471000-memory.dmp

memory/4172-142-0x0000000000400000-0x0000000000471000-memory.dmp

C:\ProgramData\csrdrr\uxxqmep.exe

MD5 42355af7e650564732d94c7b60d0cfcb
SHA1 57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256 d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512 ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

memory/3452-144-0x0000000000400000-0x0000000000471000-memory.dmp