systembc | 38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846

Resubmissions

03-08-2023 23:48

230803-3tkvcahg2z 10

25-06-2022 21:01

220625-zt7sbseab3 10

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
03-08-2023 23:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe
Size

293KB
MD5

0834595393a68716e6af02c86fed22c0
SHA1

a1226559a99cec3fb44ca57f7b5afd063d64f46f
SHA256

38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846
SHA512

8f4bf0615725b59b51b6d462f48aad96a3fb57d72747c587251396ddef0370e5f3615459e4884083f60c88bc12fd7a91d3fbbafced05f8194227bb6ea707acdc
SSDEEP

6144:pftVa3cs0EUsc+w52S2z10iYAtCxALslEtkGxcmRdgyuK/6l8ID4:RuvFUsn02SS/CKLsStnmmRdg18ID4

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

spexblog17.xyz:4044

admstat45.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

xgxn.exe

pid process

7240 xgxn.exe

pid	process
7240	xgxn.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1348-53-0x0000000000400000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/1348-21088-0x0000000000400000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/1348-20307-0x0000000000400000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/1348-28691-0x0000000000400000-0x0000000000670000-memory.dmp	upx
C:\ProgramData\ekabphd\xgxn.exe	upx
C:\ProgramData\ekabphd\xgxn.exe	upx
behavioral1/memory/7240-28701-0x0000000000400000-0x0000000000670000-memory.dmp	upx
behavioral1/memory/7240-28703-0x0000000000400000-0x0000000000670000-memory.dmp	upx

Drops file in System32 directory 1 IoCs

Processes:

38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

description	ioc	process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

Drops file in Windows directory 2 IoCs

Processes:

38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

description	ioc	process
File created	C:\Windows\Tasks\xgxn.job	38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe
File opened for modification	C:\Windows\Tasks\xgxn.job	38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

pid process

1348 38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

pid	process
1348	38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 7268 wrote to memory of 7240	7268	taskeng.exe	xgxn.exe
PID 7268 wrote to memory of 7240	7268	taskeng.exe	xgxn.exe
PID 7268 wrote to memory of 7240	7268	taskeng.exe	xgxn.exe
PID 7268 wrote to memory of 7240	7268	taskeng.exe	xgxn.exe

C:\Users\Admin\AppData\Local\Temp\38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe
"C:\Users\Admin\AppData\Local\Temp\38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1348

C:\Windows\system32\taskeng.exe
taskeng.exe {0DB16CDD-5149-44F0-9F01-CCF0A2850D7C} S-1-5-21-2969888527-3102471180-2307688834-1000:YKQDESCX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:7268

C:\ProgramData\ekabphd\xgxn.exe
C:\ProgramData\ekabphd\xgxn.exe start2
2⤵
- Executes dropped EXE
PID:7240

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ekabphd\xgxn.exe
Filesize
293KB

MD5
0834595393a68716e6af02c86fed22c0

SHA1
a1226559a99cec3fb44ca57f7b5afd063d64f46f

SHA256
38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846

SHA512
8f4bf0615725b59b51b6d462f48aad96a3fb57d72747c587251396ddef0370e5f3615459e4884083f60c88bc12fd7a91d3fbbafced05f8194227bb6ea707acdc

Download Submit
C:\ProgramData\ekabphd\xgxn.exe
Filesize
293KB

MD5
0834595393a68716e6af02c86fed22c0

SHA1
a1226559a99cec3fb44ca57f7b5afd063d64f46f

SHA256
38227cba098cf881b7ccb7cbce2228ac0aa4577894167cc6bbbfb5f3ca4cd846

SHA512
8f4bf0615725b59b51b6d462f48aad96a3fb57d72747c587251396ddef0370e5f3615459e4884083f60c88bc12fd7a91d3fbbafced05f8194227bb6ea707acdc

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
64KB

MD5
428abbb8bea79ec632051abb41c916c2

SHA1
46b9c6693246c421a8ca7a6a4e6bee4eaf962328

SHA256
068eb41108d27aca7741530a01180bc15544427fb0b586b7f0308e99585b8a6d

SHA512
7bbe352d54f58d04458a2cf9b243394cb639a797e56f58c3dde8dc52584375871ef24e808706350f83c0c53c85079bd6efc75fe7a103bec674ef29cf2b85afed

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
116KB

MD5
e1d9fd7fb773d4ee509481ab91064804

SHA1
61972d7fa38f7e2cbde171c775af3f211bc1ae70

SHA256
13548b8a9f456e38c1c74461386ce3b4d5fb81280464a19812a2e4955922f66a

SHA512
458727d7ac6600ef31ee995f811adf17248eba6dd431e7e5a3bed466b4dacf1ab76cd770ef6c5ffd8508c9837b48f5123369fd2e6c5d4643545aa354fc9f49c6

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
89KB

MD5
4d343ce7f4cb8f55320d6fbdb090a46b

SHA1
a49b9534b40feaceaa9e3c0812286743881b6458

SHA256
5a7b8c5fcb4589641b9576b377251100a92af8109b195ac9f161b59484f5253e

SHA512
3d71b50d9c1f0258d7639b6606e29590728da90001b03307dfc47e5eb38da2b2b74dff4e3b4d9ce54acc0e4f101014acab8b8879bd4cee7a57552403f6e4f8d4

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
153KB

MD5
aaa39ae5902d59ac7ceb49e958748caf

SHA1
ce59022b160729bb1ff15e8c58811851180bd5af

SHA256
59be9a11d80b871cf906def7dc741743d8d1a7c7f18f9cf75ca182c6f54c8c1b

SHA512
9729d9cb4bbee232a66c0a6338861a12e25d1a2ccc70d66e8986d76d347c068d103300ae3a8495abec8f021bcb9c5a014149dfe09522ac2514fcc6ac20f20f52

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
64KB

MD5
94c53030528cd1437a3add25c02b2ff4

SHA1
b46637c83d429df1e92965b8efea94ff49f05755

SHA256
29ebc994d8bd9183183e8f2b13befbf28fbaa975c3da44fc05cfbfafcdcef9c5

SHA512
c8ea3336ae5e9b0291e3523ac0b9c313cc35cf121f667737a7979cac548a45221019d6afc8e48e3124832eccd9b4b5ebd494c7d344a67e677883886e210337f9

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
44KB

MD5
379e518732b708e06e6bec81e819599d

SHA1
b42f53125fb74050d1546116a810bc486674ead9

SHA256
451f837ecd3b71cfeaa89d574dcf8aeeece2f6e8a57c63ad68d5df1dcae5c2d8

SHA512
3faa7a5625e7bcf392ed10fa01ddadcc85dbc1696c6f147db07f86a7b9f23fe4fd4c2e411f489be01ca7c96e99f718952ba70ca29778669084dbe15194ec04dc

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
187KB

MD5
43c93a151b56d4f5268acb3280f5430b

SHA1
0f9cead0097ea0c373f841b6cedd8e385c4a1e1d

SHA256
640c8b50d0271c97bf3ee0b02ebb69fc51edbfea304fed30a8a595c4b2e5d946

SHA512
97d68c248719a382f4d0bc335ddaffa63d5b0080e9a17cb2aa0b64e57a3645168d742d9797e0ed4c72541f1fa030f0b1f8196e4390fd72170e1dae67bd378771

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
187KB

MD5
3944c19afd70f7a43ff445bb9d658dd1

SHA1
12876559f9ad769837160ba8b1ac8edea32fcbc2

SHA256
68683ff1a492c70dcb58b2bdd02cd5c1e0ce015ab72760ec6fb09e2fd18dd613

SHA512
0e291eb9d35d1cde3d97cd634fd3aef8f399d3def11f7ad116972da8fcbd50dd7f9ab51081018ec5acae95908c5f7bbc7ce2b41affbb909d11bf91a71ff937f2

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
184KB

MD5
95a57b31779faaab688e32decc139f97

SHA1
4d925ccc2efa6e03f1db3cab0904d4a6b0b4251e

SHA256
496dbd255f33308f2fe11dec9017a31ab25c58ee705d1fb51cd4e740420c6f3a

SHA512
1252a659f093e780d30e248be263ecbfffed93bf96f22bddfb8c3d874b9a21d6482610890b7e77c27e74efc60324a95348b06467f4431975ea778e5e88f38394

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
89B

MD5
547ab1aa2e624faf38a482f6503c5457

SHA1
b5c7bc4fb94a003198972bb5433972076553d916

SHA256
a9f37bb909c6725d1b7548ccb11cf10d61756b8956c225670513faf958a7b187

SHA512
0523b7b528084447b6548617d5aa77548479c095ed3d3016d4d98e20be9bdcbc7b03a125da20b630d9b6b9b5b00f65c0efba6541be908c3d85b29554880d7423

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
186KB

MD5
99f61ceaa773ac2af039f532e218a1e1

SHA1
645240dc2f56c9eab70463eddede62b143fc6eaf

SHA256
0bbf75534165ebeb1645d8f6004c8edb5acb3255cb745f8ce63b3d1dac17f596

SHA512
6671aab73abd4e75a02453244f61ff39661524c4a79460f1b8b09c67ea5c380e67d2486f6223f4ca0424f4f756c51512a2af747361cb930ba213cea54eba55b4

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
92KB

MD5
0f25e50a3f31e5656044dd1851b6ebb4

SHA1
11259686001638fa65691d812df7d12596d1173f

SHA256
5ed3834d442d735916569abeafdbb84562f95cc6140e2ea7a613e91d94a9ab01

SHA512
b264960e267c9472aeab36bec2351d7d34f4f974e61b96eb1e9e407b9832d57a5f93c1cbc7e3be8373622af703194956599f9cf4e69e1f8d5644b2893d075208

Download Submit
C:\Windows\System32\catroot2\dberr.txt
Filesize
84KB

MD5
a65cf18060886c046fc6b66f904fc067

SHA1
4b180e31840cb371ea4b6616caf34b9eb8fec4d1

SHA256
9d1db1e6cd39e54ceb227fa14b81d6b0b3bfe4585c85db930a5235da73b3da7b

SHA512
35a2e05e167c4b655e18b07bb8850eec67c521bae4188164b8a834cb0921e7062d348c429680451d69cfc78ae229a0600b4071ebb0d574555569c4ae7e16a536

Download Submit
memory/1348-20307-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1348-28691-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1348-28692-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/1348-28693-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1348-28694-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1348-28695-0x00000000002A0000-0x00000000002B8000-memory.dmp

Filesize
96KB

Download
memory/1348-53-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/1348-21088-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/7240-28701-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download
memory/7240-28703-0x0000000000400000-0x0000000000670000-memory.dmp

Filesize
2.4MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads