systembc | 360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef

General

Target

360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
Size

1.3MB
MD5

3f20329a1a2b2334579c215af2a6e2be
SHA1

0c4430dbfb710175df15699d83de38659cb4911b
SHA256

360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef
SHA512

78dd12b49b07ba53635179f8156c4ee132a5cc98136ac05707bc147308f3a5fffc65d38ae8ccb50cdd1b2f86e8cafb906cd856cf8a44ad5bf037ef9ec3be2261

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

mainscpnl.xyz:4207

backpscpnl.xyz:4207

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

bcmr.exebcmr.exe

pid process

3112 bcmr.exe
752 bcmr.exe

pid	process
3112	bcmr.exe
752	bcmr.exe

Drops file in System32 directory 6 IoCs

Processes:

360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exebcmr.exebcmr.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-797AB17B-5A3121F6-0D30C8CE}.Environment	360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-797AB17B-5A3121F6-0D30C8CE}.Debug	360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-797AB17B-5A3121F6-0D30C8CE}.Environment	bcmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-797AB17B-5A3121F6-0D30C8CE}.Debug	bcmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-797AB17B-5A3121F6-0D30C8CE}.Environment	bcmr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-797AB17B-5A3121F6-0D30C8CE}.Debug	bcmr.exe

Drops file in Windows directory 5 IoCs

Processes:

360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exebcmr.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
File opened for modification	C:\Windows\Tasks\wow64.job	360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
File created	C:\Windows\Tasks\kxnotwktajosxejltub.job	360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
File created	C:\Windows\Tasks\wow64.job	bcmr.exe
File opened for modification	C:\Windows\Tasks\wow64.job	bcmr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MusNotification.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MusNotification.exe

description pid process

Token: SeShutdownPrivilege 3636 MusNotification.exe
Token: SeCreatePagefilePrivilege 3636 MusNotification.exe

description	pid	process
Token: SeShutdownPrivilege	3636	MusNotification.exe
Token: SeCreatePagefilePrivilege	3636	MusNotification.exe

C:\Users\Admin\AppData\Local\Temp\360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
"C:\Users\Admin\AppData\Local\Temp\360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe"
1⤵
- Drops file in Windows directory
PID:2588

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3636

C:\Users\Admin\AppData\Local\Temp\360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe
C:\Users\Admin\AppData\Local\Temp\360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef.exe start
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1984

C:\Windows\TEMP\bcmr.exe
C:\Windows\TEMP\bcmr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3112

C:\Windows\TEMP\bcmr.exe
C:\Windows\TEMP\bcmr.exe start
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\bcmr.exe
MD5
3f20329a1a2b2334579c215af2a6e2be

SHA1
0c4430dbfb710175df15699d83de38659cb4911b

SHA256
360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef

SHA512
78dd12b49b07ba53635179f8156c4ee132a5cc98136ac05707bc147308f3a5fffc65d38ae8ccb50cdd1b2f86e8cafb906cd856cf8a44ad5bf037ef9ec3be2261

Download Submit
C:\Windows\Tasks\wow64.job
MD5
0a50d1f550d6539c6fb58e705d385bbc

SHA1
26701efd4e65dc4fb53c8631bf735ef116adf454

SHA256
f56e8487de1cebf2b227be99002e915a506a0db5404fcb3be888af79ced14ce7

SHA512
eb16ff150dde23a5564f07b58c4893a94137ff3aeba8aa4510d5a3a21a16fb5842ffe95a0cc84e9ccc8b06ff41a68e2e54aa87a6b16fdf925042f475ff7f0ee2

Download Submit
C:\Windows\Temp\bcmr.exe
MD5
3f20329a1a2b2334579c215af2a6e2be

SHA1
0c4430dbfb710175df15699d83de38659cb4911b

SHA256
360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef

SHA512
78dd12b49b07ba53635179f8156c4ee132a5cc98136ac05707bc147308f3a5fffc65d38ae8ccb50cdd1b2f86e8cafb906cd856cf8a44ad5bf037ef9ec3be2261

Download Submit
C:\Windows\Temp\bcmr.exe
MD5
3f20329a1a2b2334579c215af2a6e2be

SHA1
0c4430dbfb710175df15699d83de38659cb4911b

SHA256
360e527a7f41f42dffc4762d1f71bf26e2496c52e995694e0eeed85991e6feef

SHA512
78dd12b49b07ba53635179f8156c4ee132a5cc98136ac05707bc147308f3a5fffc65d38ae8ccb50cdd1b2f86e8cafb906cd856cf8a44ad5bf037ef9ec3be2261

Download Submit
memory/752-165-0x0000000000860000-0x0000000000867000-memory.dmp

Filesize
28KB

Download
memory/752-163-0x00000000001C0000-0x00000000001FB000-memory.dmp

Filesize
236KB

Download
memory/752-164-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/752-162-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/752-161-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1984-140-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/1984-139-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/1984-147-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/1984-146-0x0000000001360000-0x000000000139B000-memory.dmp

Filesize
236KB

Download
memory/1984-141-0x00000000009D0000-0x00000000009D7000-memory.dmp

Filesize
28KB

Download
memory/2588-131-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2588-132-0x00000000028C0000-0x00000000028FB000-memory.dmp

Filesize
236KB

Download
memory/2588-133-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/2588-134-0x00000000027C0000-0x00000000027C7000-memory.dmp

Filesize
28KB

Download
memory/2588-130-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download
memory/3112-151-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/3112-154-0x0000000000FE0000-0x0000000000FE7000-memory.dmp

Filesize
28KB

Download
memory/3112-153-0x00000000010D0000-0x00000000010D1000-memory.dmp

Filesize
4KB

Download
memory/3112-152-0x0000000001100000-0x000000000113B000-memory.dmp

Filesize
236KB

Download
memory/3112-150-0x0000000000400000-0x0000000000629000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads