systembc | 4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5

General

Target

ab80e92fbdd11c699d650a455de769d0.exe
Size

392KB
MD5

ab80e92fbdd11c699d650a455de769d0
SHA1

56fa38589ebc1653d285aaaf9f79426ac5f1d826
SHA256

4fb561dbdfd2eac3757e56df1cda954fc4cdbab3da7225ea97ed3a9111ae74e5
SHA512

141d58c3a36982398cc991b83f4e4d70304c7fe9f3ef1920eec6ffba4b75164f326614e34f87b03ce576b5a08d2c84e369b775570ff57d727cab6313a792b0f5

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

C2

65.21.93.53:4173

95.216.118.223:4173

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

15 2604 rundll32.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exe

pid process

2604 rundll32.exe
2604 rundll32.exe

flow	pid	process
15	2604	rundll32.exe

pid	process
2604	rundll32.exe
2604	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ab80e92fbdd11c699d650a455de769d0.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ProtectIT = "C:\\Windows\\System32\\rundll32.exe C:\\Users\\Admin\\AppData\\Roaming\\valid.sa, rundll"	ab80e92fbdd11c699d650a455de769d0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ab80e92fbdd11c699d650a455de769d0.exe

description	pid	process	target process
PID 900 wrote to memory of 2604	900	ab80e92fbdd11c699d650a455de769d0.exe	rundll32.exe
PID 900 wrote to memory of 2604	900	ab80e92fbdd11c699d650a455de769d0.exe	rundll32.exe
PID 900 wrote to memory of 2604	900	ab80e92fbdd11c699d650a455de769d0.exe	rundll32.exe
PID 900 wrote to memory of 2468	900	ab80e92fbdd11c699d650a455de769d0.exe	cmd.exe
PID 900 wrote to memory of 2468	900	ab80e92fbdd11c699d650a455de769d0.exe	cmd.exe
PID 900 wrote to memory of 2468	900	ab80e92fbdd11c699d650a455de769d0.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe
"C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Roaming\valid.sa, rundll
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\System32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ab80e92fbdd11c699d650a455de769d0.exe"
2⤵
PID:2468

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\valid.sa
MD5
4ed86d03e1b1992737a82147f37b0f26

SHA1
65c8d604169f09b9d746ee1d5137f35e0de73a8e

SHA256
1f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c

SHA512
238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5

Download Submit
\Users\Admin\AppData\Roaming\valid.sa
MD5
4ed86d03e1b1992737a82147f37b0f26

SHA1
65c8d604169f09b9d746ee1d5137f35e0de73a8e

SHA256
1f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c

SHA512
238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5

Download Submit
\Users\Admin\AppData\Roaming\valid.sa
MD5
4ed86d03e1b1992737a82147f37b0f26

SHA1
65c8d604169f09b9d746ee1d5137f35e0de73a8e

SHA256
1f5ab2dd8c68798890cc3f34c342aae74fb15846d2beb3cc4fc78dc6a94f7d1c

SHA512
238b338aa6b5d31f17e64ccf9e635c19867bf8eb267578a65158a61bb6bea5ec616b5798dafabd3ca0797268869e7b414db1d3668542ef95698d0cf9f17839c5

Download Submit
memory/900-121-0x0000000000400000-0x0000000000901000-memory.dmp

Filesize
5.0MB

Download
memory/900-120-0x0000000000B40000-0x0000000000B75000-memory.dmp

Filesize
212KB

Download
memory/2468-115-0x0000000000000000-mapping.dmp

Download
memory/2604-114-0x0000000000000000-mapping.dmp

Download
memory/2604-119-0x0000000000B60000-0x0000000000B83000-memory.dmp

Filesize
140KB

Download
memory/2604-122-0x0000000000CA0000-0x0000000000CA5000-memory.dmp

Filesize
20KB

Download
memory/2604-123-0x0000000000CC0000-0x0000000000CC7000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing