systembc | dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

Analysis

max time kernel
133s
max time network
134s
platform
windows10_x64
resource
win10v20210410
submitted
28-04-2021 21:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2876db1b_by_Libranalysis.exe
Size

91KB
MD5

2876db1b03b557351668cd577bf09c52
SHA1

39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
SHA256

dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA512

398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

185.33.84.190:4124

45.79.237.92:4124

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 4 IoCs

Processes:

btbjsck.exebtbjsck.exebtbjsck.exebtbjsck.exe

pid process

2180 btbjsck.exe
3636 btbjsck.exe
1580 btbjsck.exe
3776 btbjsck.exe
Loads dropped DLL 3 IoCs

Processes:

2876db1b_by_Libranalysis.exebtbjsck.exebtbjsck.exe

pid process

3876 2876db1b_by_Libranalysis.exe
2180 btbjsck.exe
1580 btbjsck.exe

pid	process
2180	btbjsck.exe
3636	btbjsck.exe
1580	btbjsck.exe
3776	btbjsck.exe

pid	process
3876	2876db1b_by_Libranalysis.exe
2180	btbjsck.exe
1580	btbjsck.exe

Drops file in System32 directory 4 IoCs

Processes:

btbjsck.exebtbjsck.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu	btbjsck.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	btbjsck.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\147201902	btbjsck.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\147201902	btbjsck.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

2876db1b_by_Libranalysis.exebtbjsck.exebtbjsck.exe

description	pid	process	target process
PID 3876 set thread context of 3760	3876	2876db1b_by_Libranalysis.exe	2876db1b_by_Libranalysis.exe
PID 2180 set thread context of 3636	2180	btbjsck.exe	btbjsck.exe
PID 1580 set thread context of 3776	1580	btbjsck.exe	btbjsck.exe

Drops file in Windows directory 2 IoCs

Processes:

2876db1b_by_Libranalysis.exe

description	ioc	process
File created	C:\Windows\Tasks\btbjsck.job	2876db1b_by_Libranalysis.exe
File opened for modification	C:\Windows\Tasks\btbjsck.job	2876db1b_by_Libranalysis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 10 IoCs

installer

Processes:

resource	yara_rule
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_1
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_2
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_1
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_2
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_1
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_2
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_1
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_2
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_1
C:\ProgramData\tlhofx\btbjsck.exe	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2876db1b_by_Libranalysis.exe

pid process

3760 2876db1b_by_Libranalysis.exe
3760 2876db1b_by_Libranalysis.exe
Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

2876db1b_by_Libranalysis.exebtbjsck.exebtbjsck.exe

pid process

3876 2876db1b_by_Libranalysis.exe
2180 btbjsck.exe
1580 btbjsck.exe

pid	process
3760	2876db1b_by_Libranalysis.exe
3760	2876db1b_by_Libranalysis.exe

pid	process
3876	2876db1b_by_Libranalysis.exe
2180	btbjsck.exe
1580	btbjsck.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2876db1b_by_Libranalysis.exebtbjsck.exebtbjsck.exe

description	pid	process	target process
PID 3876 wrote to memory of 3760	3876	2876db1b_by_Libranalysis.exe	2876db1b_by_Libranalysis.exe
PID 3876 wrote to memory of 3760	3876	2876db1b_by_Libranalysis.exe	2876db1b_by_Libranalysis.exe
PID 3876 wrote to memory of 3760	3876	2876db1b_by_Libranalysis.exe	2876db1b_by_Libranalysis.exe
PID 3876 wrote to memory of 3760	3876	2876db1b_by_Libranalysis.exe	2876db1b_by_Libranalysis.exe
PID 2180 wrote to memory of 3636	2180	btbjsck.exe	btbjsck.exe
PID 2180 wrote to memory of 3636	2180	btbjsck.exe	btbjsck.exe
PID 2180 wrote to memory of 3636	2180	btbjsck.exe	btbjsck.exe
PID 2180 wrote to memory of 3636	2180	btbjsck.exe	btbjsck.exe
PID 1580 wrote to memory of 3776	1580	btbjsck.exe	btbjsck.exe
PID 1580 wrote to memory of 3776	1580	btbjsck.exe	btbjsck.exe
PID 1580 wrote to memory of 3776	1580	btbjsck.exe	btbjsck.exe
PID 1580 wrote to memory of 3776	1580	btbjsck.exe	btbjsck.exe

C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3876
- C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe
  "C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3760

C:\ProgramData\tlhofx\btbjsck.exe
C:\ProgramData\tlhofx\btbjsck.exe start
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2180
- C:\ProgramData\tlhofx\btbjsck.exe
  C:\ProgramData\tlhofx\btbjsck.exe start
  2⤵
  - Executes dropped EXE
  PID:3636

C:\ProgramData\tlhofx\btbjsck.exe
C:\ProgramData\tlhofx\btbjsck.exe start
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1580
- C:\ProgramData\tlhofx\btbjsck.exe
  C:\ProgramData\tlhofx\btbjsck.exe start
  2⤵
  - Executes dropped EXE
  PID:3776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tlhofx\btbjsck.exe

MD5
2876db1b03b557351668cd577bf09c52

SHA1
39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12

SHA256
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

SHA512
398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39

Download Submit
C:\ProgramData\tlhofx\btbjsck.exe

MD5
2876db1b03b557351668cd577bf09c52

SHA1
39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12

SHA256
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

SHA512
398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39

Download Submit
C:\ProgramData\tlhofx\btbjsck.exe

MD5
2876db1b03b557351668cd577bf09c52

SHA1
39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12

SHA256
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

SHA512
398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39

Download Submit
C:\ProgramData\tlhofx\btbjsck.exe

MD5
2876db1b03b557351668cd577bf09c52

SHA1
39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12

SHA256
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

SHA512
398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39

Download Submit
C:\ProgramData\tlhofx\btbjsck.exe

MD5
2876db1b03b557351668cd577bf09c52

SHA1
39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12

SHA256
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5

SHA512
398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\147201902

MD5
8e51f75f1b5717edc90d925f866c7688

SHA1
0825984a36dae7647e6050c1368b61aa77606817

SHA256
8e39a3a07028b4325599b15a4f6e9a4fd4ff2aacdcd949ead03ce1752fbc669e

SHA512
0c61424127ffe81aa68dacc612198fd21dba2885075e7697d5211571e1630df08d738fa63faf9b75bffaad0fb15429af9a9088dd80fec2e699c71b0472bbce84

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1B9D.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Windows\Temp\nsk9CBF.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Windows\Temp\nsr963C.tmp\System.dll

MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/3636-120-0x0000000000401000-mapping.dmp

Download
memory/3760-116-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3760-115-0x0000000000401000-mapping.dmp

Download
memory/3776-126-0x0000000000401000-mapping.dmp

Download