systembc | b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

Analysis

max time kernel
108s
max time network
154s
platform
windows7_x64
resource
win7v20210410
submitted
08-06-2021 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe
Size

36KB
MD5

b4ff9334082022b24f7272b2a752dee0
SHA1

48805d9296173a8758587868ab5e8f3ea073759e
SHA256

b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6
SHA512

69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

107.175.150.179:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

mich.exemich.exe

pid process

912 mich.exe
1536 mich.exe
Loads dropped DLL 6 IoCs

Processes:

WerFault.exeWerFault.exe

pid process

652 WerFault.exe
652 WerFault.exe
652 WerFault.exe
1852 WerFault.exe
1852 WerFault.exe
1852 WerFault.exe

pid	process
912	mich.exe
1536	mich.exe

pid	process
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe

Drops file in Windows directory 2 IoCs

Processes:

b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe

description	ioc	process
File created	C:\Windows\Tasks\mich.job	b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe
File opened for modification	C:\Windows\Tasks\mich.job	b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

652 912 WerFault.exe mich.exe
1852 1536 WerFault.exe mich.exe

pid	pid_target	process	target process
652	912	WerFault.exe	mich.exe
1852	1536	WerFault.exe	mich.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exeWerFault.exeWerFault.exe

pid	process
1920	b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
652	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe
1852	WerFault.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

WerFault.exeWerFault.exe

description pid process

Token: SeDebugPrivilege 652 WerFault.exe
Token: SeDebugPrivilege 1852 WerFault.exe

description	pid	process
Token: SeDebugPrivilege	652	WerFault.exe
Token: SeDebugPrivilege	1852	WerFault.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

taskeng.exemich.exemich.exe

description	pid	process	target process
PID 644 wrote to memory of 912	644	taskeng.exe	mich.exe
PID 644 wrote to memory of 912	644	taskeng.exe	mich.exe
PID 644 wrote to memory of 912	644	taskeng.exe	mich.exe
PID 644 wrote to memory of 912	644	taskeng.exe	mich.exe
PID 912 wrote to memory of 652	912	mich.exe	WerFault.exe
PID 912 wrote to memory of 652	912	mich.exe	WerFault.exe
PID 912 wrote to memory of 652	912	mich.exe	WerFault.exe
PID 912 wrote to memory of 652	912	mich.exe	WerFault.exe
PID 644 wrote to memory of 1536	644	taskeng.exe	mich.exe
PID 644 wrote to memory of 1536	644	taskeng.exe	mich.exe
PID 644 wrote to memory of 1536	644	taskeng.exe	mich.exe
PID 644 wrote to memory of 1536	644	taskeng.exe	mich.exe
PID 1536 wrote to memory of 1852	1536	mich.exe	WerFault.exe
PID 1536 wrote to memory of 1852	1536	mich.exe	WerFault.exe
PID 1536 wrote to memory of 1852	1536	mich.exe	WerFault.exe
PID 1536 wrote to memory of 1852	1536	mich.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe
"C:\Users\Admin\AppData\Local\Temp\b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6.bin.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\system32\taskeng.exe
taskeng.exe {2561566C-CEBC-4924-AB8F-B427AAB3F6CB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:644
- C:\ProgramData\udhvhb\mich.exe
  C:\ProgramData\udhvhb\mich.exe start
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 216
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:652
- C:\ProgramData\udhvhb\mich.exe
  C:\ProgramData\udhvhb\mich.exe start
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 216
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
C:\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
C:\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
\ProgramData\udhvhb\mich.exe

MD5
b4ff9334082022b24f7272b2a752dee0

SHA1
48805d9296173a8758587868ab5e8f3ea073759e

SHA256
b842433943138b902e52840647f19bc0c5361504e78f7183e956ffe9063772c6

SHA512
69242a365f9179ecdc8d096d2ec8055186c142b8b2576dad34899837fadc05c7bf6b805ded391552a36b8f85d4e06daf0eeea210e6bce2193a5b1f0cef7dc36e

Download Submit
memory/652-64-0x0000000000000000-mapping.dmp

Download
memory/912-61-0x0000000000000000-mapping.dmp

Download
memory/1536-68-0x0000000000000000-mapping.dmp

Download
memory/1852-71-0x0000000000000000-mapping.dmp

Download
memory/1920-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download