systembc | 7d63d4958a0b5973b9f5c788e694f4efd4e4ea5354eb4db8b14f9370678584ce

General

Target

Quo_mox niquo niquopen quilo bom lekavasi.exe
Size

187.6MB
MD5

2e1d87536ff37b0c99eed77d1238f091
SHA1

6b0bfd18069d0074c9b8e33584c81e8a7af4edd3
SHA256

7d63d4958a0b5973b9f5c788e694f4efd4e4ea5354eb4db8b14f9370678584ce
SHA512

d1666a79007063804b2cb2ae4d6ace6f2059478d11893a8902989a417a9fac9fd693fd13cf60d17baa5bea87c2871d5f6f5c591e1d8b3fe69dbff44ab9f98522
SSDEEP

24576:v5ar505yClYM/gCHWxXDPy0cphuST/3PW1ucqqwje973dxu0yLCiXt9jTWcq/:v5ariy4YMexJZw/Iucdp3IbXtFT

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

45.147.197.24:4001

80.89.234.122:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	Quo_mox niquo niquopen quilo bom lekavasi.exe

Executes dropped EXE 1 IoCs

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.exe

pid process

1940 Quo_mox niquo niquopen quilo bom lekavasi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.exe

description pid process target process

PID 1940 set thread context of 1132 1940 Quo_mox niquo niquopen quilo bom lekavasi.exe ngentask.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2288 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1112 PING.EXE

pid	process
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe

description	pid	process	target process
PID 1940 set thread context of 1132	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe

pid	process
2288	schtasks.exe

pid	process
1112	PING.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.exeQuo_mox niquo niquopen quilo bom lekavasi.exe

pid	process
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
4168	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe
1940	Quo_mox niquo niquopen quilo bom lekavasi.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

Quo_mox niquo niquopen quilo bom lekavasi.execmd.exeQuo_mox niquo niquopen quilo bom lekavasi.exe

description	pid	process	target process
PID 4168 wrote to memory of 2288	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	schtasks.exe
PID 4168 wrote to memory of 2288	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	schtasks.exe
PID 4168 wrote to memory of 2288	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	schtasks.exe
PID 4168 wrote to memory of 1940	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 4168 wrote to memory of 1940	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 4168 wrote to memory of 1940	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	Quo_mox niquo niquopen quilo bom lekavasi.exe
PID 4168 wrote to memory of 4536	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	cmd.exe
PID 4168 wrote to memory of 4536	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	cmd.exe
PID 4168 wrote to memory of 4536	4168	Quo_mox niquo niquopen quilo bom lekavasi.exe	cmd.exe
PID 4536 wrote to memory of 1744	4536	cmd.exe	chcp.com
PID 4536 wrote to memory of 1744	4536	cmd.exe	chcp.com
PID 4536 wrote to memory of 1744	4536	cmd.exe	chcp.com
PID 4536 wrote to memory of 1112	4536	cmd.exe	PING.EXE
PID 4536 wrote to memory of 1112	4536	cmd.exe	PING.EXE
PID 4536 wrote to memory of 1112	4536	cmd.exe	PING.EXE
PID 1940 wrote to memory of 2076	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 2076	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 2076	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 1132	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 1132	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 1132	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 1132	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe
PID 1940 wrote to memory of 1132	1940	Quo_mox niquo niquopen quilo bom lekavasi.exe	ngentask.exe

C:\Users\Admin\AppData\Local\Temp\Quo_mox niquo niquopen quilo bom lekavasi.exe
"C:\Users\Admin\AppData\Local\Temp\Quo_mox niquo niquopen quilo bom lekavasi.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Creates scheduled task(s)
PID:2288

C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
"C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1940

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:2076

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:1132

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Quo_mox niquo niquopen quilo bom lekavasi.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1744

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1112

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
Filesize
900.1MB

MD5
bb4873ad312aa0be91a762d15173a282

SHA1
990cf3b94da85138fcf1fbcb89a8d5d96dddf7e9

SHA256
2f7b07543c2c59191012bba583857ac4d0537fe18e3f8681ea074218e5804f22

SHA512
99ccc59aaa2e741a5bf043942c615320272f0def883f0f0e384eeb5f5034b8e41070f645d97eb77e3a1fecb52ff31fe39a73a48a9375ffa448c60b1f57b18e5a

Download Submit
C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
Filesize
722.6MB

MD5
7c9188777da37dde8f82f99eb2510634

SHA1
59f510ce7fa9af55a6e7f28328070b63fd3c3733

SHA256
0a432f94bb2deb8ab1b5db0e4009fa894dd018e1d23183faacfae8792eb72b0a

SHA512
6780c12336a6c40253a392f9dcc8e17ca52bfa06ec5d33c7ccc006d1aedb9f3f2e62c6671893401dd8131fb7211e182feb987869cbf4e0b57e581c6bcc08e9f8

Download Submit
C:\Users\Admin\mexo xamahaxi tetoteb\Quo_mox niquo niquopen quilo bom lekavasi.exe
Filesize
707.1MB

MD5
73c758dc2fdf3df761c688931bf933ba

SHA1
7d0bdcd3acfeca06c088f181533af4d4eeae8936

SHA256
770cec5336126625b847678ef6ad109d4fffd2ec1463acfd063ab6c570225305

SHA512
85f69a777119097e5a072abead29eafda69b0e96b7b15b13bbb0adfb02ab02d35f1b2135d0ddc357478b7d44a5fb6e84b762b4f6de181341cb3cd7c32187121e

Download Submit
memory/1132-147-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1132-149-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1132-150-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1940-145-0x0000000010200000-0x0000000010266000-memory.dmp

Filesize
408KB

Download
memory/1940-146-0x0000000002A90000-0x0000000002BD9000-memory.dmp

Filesize
1.3MB

Download
memory/1940-151-0x0000000002A90000-0x0000000002BD9000-memory.dmp

Filesize
1.3MB

Download
memory/4168-133-0x0000000002660000-0x00000000027A9000-memory.dmp

Filesize
1.3MB

Download
memory/4168-140-0x0000000002660000-0x00000000027A9000-memory.dmp

Filesize
1.3MB

Download
memory/4168-144-0x0000000002660000-0x00000000027A9000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads