systembc | ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7

Analysis

max time kernel
590s
max time network
600s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gktpohoadkth.exe
Size

429KB
MD5

1508a5d67bf9beb497b97cc5eff91c5e
SHA1

69c93e632d29fda0f093eacdadd434066f307343
SHA256

ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7
SHA512

3e36d4dd681e1950fdac02f48d9e07b1419b5240b007e9595bba6a5ac1c6f3171db495359e7794b40bcd697c50ab4ebd4010a7c95317859ef6ec11d7ce34b06e
SSDEEP

12288:C+6Bg1Wu+6LQxbcjTqCyeC2PMI7uB7RTx:CH6L/IGMOuV

Score

10^/10

systembc discovery persistence trojan

Malware Config

Extracted

Family

systembc

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

ns1.vic.au.dns.opennic.glue

ns2.vic.au.dns.opennic.glue

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

description	pid	Process	procid_target
PID 1840 created 3492	1840	eula.exe	56
PID 5056 created 3492	5056	rmraumc.exe	56
PID 1864 created 3492	1864	rmraumc.exe	56
PID 1676 created 3492	1676	rmraumc.exe	56
PID 1856 created 3492	1856	rmraumc.exe	56
PID 3640 created 3492	3640	rmraumc.exe	56
PID 1452 created 3492	1452	rmraumc.exe	56
PID 1252 created 3492	1252	rmraumc.exe	56
PID 1492 created 3492	1492	rmraumc.exe	56
PID 5032 created 3492	5032	rmraumc.exe	56
PID 3600 created 3492	3600	rmraumc.exe	56

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Blocklisted process makes network request 2 IoCs

flow	pid	Process
22	2340	rundll32.exe
23	2340	rundll32.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Gxtuum.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	gktpohoadkth.exe

Executes dropped EXE 33 IoCs

pid	Process
4596	Gxtuum.exe
1840	eula.exe
5100	eula.exe
5056	rmraumc.exe
1224	Gxtuum.exe
3944	rmraumc.exe
2180	Gxtuum.exe
1864	rmraumc.exe
4992	rmraumc.exe
2400	Gxtuum.exe
1676	rmraumc.exe
3332	rmraumc.exe
1828	Gxtuum.exe
1856	rmraumc.exe
4616	rmraumc.exe
4076	Gxtuum.exe
3640	rmraumc.exe
4256	rmraumc.exe
4040	Gxtuum.exe
1452	rmraumc.exe
5092	rmraumc.exe
3740	Gxtuum.exe
1252	rmraumc.exe
408	rmraumc.exe
636	Gxtuum.exe
1492	rmraumc.exe
1864	rmraumc.exe
2540	Gxtuum.exe
5032	rmraumc.exe
3208	rmraumc.exe
244	Gxtuum.exe
3600	rmraumc.exe
1756	rmraumc.exe

Loads dropped DLL 1 IoCs

pid	Process
2340	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\terms.dll = "rundll32 C:\\Users\\Admin\\AppData\\Roaming\\10001340110\\terms.dll, Main"	Gxtuum.exe

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 1840 set thread context of 5100	1840	eula.exe	91
PID 5056 set thread context of 3944	5056	rmraumc.exe	99
PID 1864 set thread context of 4992	1864	rmraumc.exe	102
PID 1676 set thread context of 3332	1676	rmraumc.exe	105
PID 1856 set thread context of 4616	1856	rmraumc.exe	108
PID 3640 set thread context of 4256	3640	rmraumc.exe	111
PID 1452 set thread context of 5092	1452	rmraumc.exe	114
PID 1252 set thread context of 408	1252	rmraumc.exe	117
PID 1492 set thread context of 1864	1492	rmraumc.exe	120
PID 5032 set thread context of 3208	5032	rmraumc.exe	123
PID 3600 set thread context of 1756	3600	rmraumc.exe	126

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	gktpohoadkth.exe
File created	C:\Windows\Tasks\Test Task17.job	eula.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eula.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gktpohoadkth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rmraumc.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
1840	eula.exe
5056	rmraumc.exe
1864	rmraumc.exe
1676	rmraumc.exe
1856	rmraumc.exe
3640	rmraumc.exe
1452	rmraumc.exe
1252	rmraumc.exe
1492	rmraumc.exe
5032	rmraumc.exe
3600	rmraumc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	eula.exe
Token: SeDebugPrivilege	1840	eula.exe
Token: SeDebugPrivilege	5056	rmraumc.exe
Token: SeDebugPrivilege	5056	rmraumc.exe
Token: SeDebugPrivilege	1864	rmraumc.exe
Token: SeDebugPrivilege	1864	rmraumc.exe
Token: SeDebugPrivilege	1676	rmraumc.exe
Token: SeDebugPrivilege	1676	rmraumc.exe
Token: SeDebugPrivilege	1856	rmraumc.exe
Token: SeDebugPrivilege	1856	rmraumc.exe
Token: SeDebugPrivilege	3640	rmraumc.exe
Token: SeDebugPrivilege	3640	rmraumc.exe
Token: SeDebugPrivilege	1452	rmraumc.exe
Token: SeDebugPrivilege	1452	rmraumc.exe
Token: SeDebugPrivilege	1252	rmraumc.exe
Token: SeDebugPrivilege	1252	rmraumc.exe
Token: SeDebugPrivilege	1492	rmraumc.exe
Token: SeDebugPrivilege	1492	rmraumc.exe
Token: SeDebugPrivilege	5032	rmraumc.exe
Token: SeDebugPrivilege	5032	rmraumc.exe
Token: SeDebugPrivilege	3600	rmraumc.exe
Token: SeDebugPrivilege	3600	rmraumc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3484	gktpohoadkth.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 4596	3484	gktpohoadkth.exe	84
PID 3484 wrote to memory of 4596	3484	gktpohoadkth.exe	84
PID 3484 wrote to memory of 4596	3484	gktpohoadkth.exe	84
PID 4596 wrote to memory of 1840	4596	Gxtuum.exe	85
PID 4596 wrote to memory of 1840	4596	Gxtuum.exe	85
PID 4596 wrote to memory of 1840	4596	Gxtuum.exe	85
PID 4596 wrote to memory of 2340	4596	Gxtuum.exe	86
PID 4596 wrote to memory of 2340	4596	Gxtuum.exe	86
PID 4596 wrote to memory of 2340	4596	Gxtuum.exe	86
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 1840 wrote to memory of 5100	1840	eula.exe	91
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 5056 wrote to memory of 3944	5056	rmraumc.exe	99
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1864 wrote to memory of 4992	1864	rmraumc.exe	102
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1676 wrote to memory of 3332	1676	rmraumc.exe	105
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 1856 wrote to memory of 4616	1856	rmraumc.exe	108
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 3640 wrote to memory of 4256	3640	rmraumc.exe	111
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114
PID 1452 wrote to memory of 5092	1452	rmraumc.exe	114

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\gktpohoadkth.exe
  "C:\Users\Admin\AppData\Local\Temp\gktpohoadkth.exe"
  2⤵
  - Checks computer location settings
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
    "C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
      "C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\10001340110\terms.dll, Main
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2340
- C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe
  "C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:5100
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  PID:3944
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4992
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4616
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4256
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5092
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  PID:408
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3208
- C:\ProgramData\bfdm\rmraumc.exe
  "C:\ProgramData\bfdm\rmraumc.exe"
  2⤵
  - Executes dropped EXE
  PID:1756

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5056

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2180

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2400

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1828

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4076

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3640

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4040

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:3740

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:636

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:2540

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:244

C:\ProgramData\bfdm\rmraumc.exe
C:\ProgramData\bfdm\rmraumc.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe

Filesize
2.0MB

MD5
cf14dd806489fb5772ebcea711b535a3

SHA1
064e5c703dd348e7408bbfbc0351467e624eea9b

SHA256
f719bd30d817c69e08d81266a4007c60a8c9ad98ddae27d0fa73f9e530b644ac

SHA512
d409ae1228e64f2d311a07e21f04c6a2eea38730db1178e8214725943a1bda31bf9c47d5eba6ea860403b593b98a8ba7ec42dc183385cf659fa64d18a7abb67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\10001330101\eula.exe

Filesize
1.0MB

MD5
73703d5bb617732c13350e6cc99e6c25

SHA1
c09633d94f419676a89c525ff7044bee3b27edf5

SHA256
e29f810eb7e50e88f466808b49e5068fdef0158c0646c14bada596b4cecdf0e4

SHA512
6e25df2bea7571e94258b4e1beca337caa535ab4abe713602a1e50a39c604d332bb82504615b07da799b1e5435dd117ea178dbce0c03992d2e9da6a60dcebde7

Download Submit
C:\Users\Admin\AppData\Local\Temp\23e3360290\Gxtuum.exe

Filesize
429KB

MD5
1508a5d67bf9beb497b97cc5eff91c5e

SHA1
69c93e632d29fda0f093eacdadd434066f307343

SHA256
ca88a597ed2127de7a2cb2f5b3e82d61035e9e2d5714ec5c0ae1659ef1c13df7

SHA512
3e36d4dd681e1950fdac02f48d9e07b1419b5240b007e9595bba6a5ac1c6f3171db495359e7794b40bcd697c50ab4ebd4010a7c95317859ef6ec11d7ce34b06e

Download Submit
C:\Users\Admin\AppData\Roaming\10001340110\terms.dll

Filesize
27KB

MD5
4dff588e6b10db3454aed96bde5764cd

SHA1
4bb138f3be2afa756ad64aaabf7183936db20304

SHA256
c34dba935e9e13317d2aba4b46c4c602d11658730e6c26c209ff11f2e1dff405

SHA512
2a980b5710a4d3e33b12a5507945358428254abe16ec1ef84a43d9fbb4c3764fe8e356ec9d92d5c8f4b8b3137d8a003e10156f57b328cb47d0d6c7791b33b410

Download Submit
C:\Users\Admin\AppData\Roaming\10001340110\terms.dll

Filesize
13KB

MD5
44163d81bb5710839fb9ba265de2c942

SHA1
a7497d6085ed8ce25e9728a0af7e989e026eaf04

SHA256
de4e3ff7f7da5d5561e384585a9d0cb66f2c51ea324c184848d125d8792bf666

SHA512
97ef4974f41affd04eb960fa873cd9754f31007c3d7239a7fb5b17cc152c01f2050c3b25d107e36ab5c65010610624e773f726de7d39255bb2c0ad5d8b9929a4

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
236B

MD5
0e5270728795c4e5dfae7c7f00d0b1e5

SHA1
26ff0b94aec52451c1b20ad36606b1b2f336fa1c

SHA256
fc2cf56fa4c6fff596eb0bff9f948d1f0d2ea0a572f8c9f2dfc204b7f2fffa53

SHA512
9f2e3ae3f2a3f3018e07911b63ea0a17b461ccabcb4afce32b240773d81238ac909162254ac8615697a78993c761c00c827505ec44ca01279fbee07e4ea91629

Download Submit
memory/1840-29-0x000000007359E000-0x000000007359F000-memory.dmp

Filesize
4KB

Download
memory/1840-30-0x0000000000AB0000-0x0000000000BB2000-memory.dmp

Filesize
1.0MB

Download
memory/1840-31-0x00000000055D0000-0x00000000056B6000-memory.dmp

Filesize
920KB

Download
memory/1840-32-0x0000000005C70000-0x0000000006214000-memory.dmp

Filesize
5.6MB

Download
memory/1840-33-0x0000000005760000-0x00000000057F2000-memory.dmp

Filesize
584KB

Download
memory/1840-43-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-41-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-97-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-95-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-91-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-87-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-85-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-81-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-79-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-77-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-75-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-71-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-67-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-65-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-63-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-59-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-57-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-55-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-53-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-51-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-49-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-47-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-45-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-93-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-89-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-39-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-84-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-73-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-37-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-69-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-61-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-35-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-34-0x00000000055D0000-0x00000000056B1000-memory.dmp

Filesize
900KB

Download
memory/1840-1211-0x0000000005840000-0x0000000005898000-memory.dmp

Filesize
352KB

Download
memory/1840-1210-0x0000000073590000-0x0000000073D40000-memory.dmp

Filesize
7.7MB

Download
memory/1840-1213-0x0000000073590000-0x0000000073D40000-memory.dmp

Filesize
7.7MB

Download
memory/1840-1212-0x00000000058A0000-0x00000000058EC000-memory.dmp

Filesize
304KB

Download
memory/1840-1224-0x000000007359E000-0x000000007359F000-memory.dmp

Filesize
4KB

Download
memory/1840-1225-0x0000000073590000-0x0000000073D40000-memory.dmp

Filesize
7.7MB

Download
memory/1840-1226-0x0000000005910000-0x0000000005964000-memory.dmp

Filesize
336KB

Download
memory/1840-1237-0x0000000073590000-0x0000000073D40000-memory.dmp

Filesize
7.7MB

Download