Edit tour
Windows
Analysis Report
Opdxdyeul.exe
Overview
General Information
| Sample name: | Opdxdyeul.exe |
| Analysis ID: | 1577312 |
| MD5: | cee58644e824d57927fe73be837b1418 |
| SHA1: | 698d1a11ab58852be004fd4668a6f25371621976 |
| SHA256: | 4235c78ffaf12c4e584666da54cfc5dc56412235f5a2d313dcac07d1314dd52e |
| Tags: | 18521511316185215113209bulletproofexeuser-abus3reports |
| Infos: |   |
 | |
Detection
SystemBC
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected SystemBC
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected Costura Assembly Loader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Execution of Powershell with Base64
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64
Opdxdyeul.exe (PID: 6488 cmdline: "C:\Users\ user\Deskt op\Opdxdye ul.exe" MD5: CEE58644E824D57927FE73BE837B1418) 
powershell.exe (PID: 3416 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -enc QQBkA GQALQBNAHA AUAByAGUAZ gBlAHIAZQB uAGMAZQAgA C0ARQB4AGM AbAB1AHMAa QBvAG4AUAB hAHQAaAAgA EMAOgBcAFU AcwBlAHIAc wBcAGUAbgB nAGkAbgBlA GUAcgBcAEQ AZQBzAGsAd ABvAHAAXAB PAHAAZAB4A GQAeQBlAHU AbAAuAGUAe ABlADsAIAB BAGQAZAAtA E0AcABQAHI AZQBmAGUAc gBlAG4AYwB lACAALQBFA HgAYwBsAHU AcwBpAG8Ab gBQAHIAbwB jAGUAcwBzA CAAQwA6AFw AVQBzAGUAc gBzAFwAZQB uAGcAaQBuA GUAZQByAFw ARABlAHMAa wB0AG8AcAB cAE8AcABkA HgAZAB5AGU AdQBsAC4AZ QB4AGUAOwB BAGQAZAAtA E0AcABQAHI AZQBmAGUAc gBlAG4AYwB lACAALQBFA HgAYwBsAHU AcwBpAG8Ab gBQAGEAdAB oACAAQwA6A FwAVQBzAGU AcgBzAFwAZ QBuAGcAaQB uAGUAZQByA FwAQQBwAHA ARABhAHQAY QBcAFIAbwB hAG0AaQBuA GcAXABZAGo AbAB3AHUAd QB5AHMALgB lAHgAZQA7A CAAQQBkAGQ ALQBNAHAAU AByAGUAZgB lAHIAZQBuA GMAZQAgAC0 ARQB4AGMAb AB1AHMAaQB vAG4AUAByA G8AYwBlAHM AcwAgAEMAO gBcAFUAcwB lAHIAcwBcA GUAbgBnAGk AbgBlAGUAc gBcAEEAcAB wAEQAYQB0A GEAXABSAG8 AYQBtAGkAb gBnAFwAWQB qAGwAdwB1A HUAeQBzAC4 AZQB4AGUA MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) 
conhost.exe (PID: 1948 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
WmiPrvSE.exe (PID: 2276 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - Opdxdyeul.exe (PID: 5280 cmdline:
"C:\Users\ user\Deskt op\Opdxdye ul.exe" MD5: CEE58644E824D57927FE73BE837B1418)
- qxdc.exe (PID: 3392 cmdline:
C:\Program Data\colsv \qxdc.exe MD5: CEE58644E824D57927FE73BE837B1418) - qxdc.exe (PID: 4184 cmdline:
"C:\Progra mData\cols v\qxdc.exe " MD5: CEE58644E824D57927FE73BE837B1418)
- Yjlwuuys.exe (PID: 4896 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Yjlwuuys. exe" MD5: CEE58644E824D57927FE73BE837B1418) - Yjlwuuys.exe (PID: 4948 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Yjlwuuys. exe" MD5: CEE58644E824D57927FE73BE837B1418)
- svchost.exe (PID: 6488 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Yjlwuuys.exe (PID: 2168 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Yjlwuuys. exe" MD5: CEE58644E824D57927FE73BE837B1418) - Yjlwuuys.exe (PID: 3560 cmdline:
"C:\Users\ user\AppDa ta\Roaming \Yjlwuuys. exe" MD5: CEE58644E824D57927FE73BE837B1418)
- qxdc.exe (PID: 6664 cmdline:
C:\Program Data\colsv \qxdc.exe MD5: CEE58644E824D57927FE73BE837B1418) - qxdc.exe (PID: 3360 cmdline:
"C:\Progra mData\cols v\qxdc.exe " MD5: CEE58644E824D57927FE73BE837B1418)
- qxdc.exe (PID: 6684 cmdline:
C:\Program Data\colsv \qxdc.exe MD5: CEE58644E824D57927FE73BE837B1418) - qxdc.exe (PID: 2524 cmdline:
"C:\Progra mData\cols v\qxdc.exe " MD5: CEE58644E824D57927FE73BE837B1418)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| SystemBC | SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018. | No Attribution |
{"HOST1": "claywyaeropumps.com", "HOST2": "178.132.2.10", "DNS1": "5.132.191.104", "DNS2": "ns1.vic.au.dns.opennic.glue", "DNS3": "ns2.vic.au.dns.opennic.glue"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| Click to see the 35 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_SystemBC | Yara detected SystemBC | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| Click to see the 22 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||