systembc | a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f

General

Target

a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
Size

575KB
MD5

1d2e0c8bbbefd663e8f6f45534ba4d99
SHA1

82f642b063655ab32c5f0f17f7adad9b9b471702
SHA256

a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f
SHA512

221ef6738f6c4ee8e2d8287004a5874ee6e6e4435d08ec7660725dea0f781b5363dd5885810e1175984e8839a211b4034aff0f81b9fa02c7dfce2d174458b082

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

mainscpnl.xyz:4207

backpscpnl.xyz:4207

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

tpff.exetpff.exe

pid process

2976 tpff.exe
3976 tpff.exe
Deletes itself 1 IoCs

Processes:

tpff.exe

pid process

2976 tpff.exe

pid	process
2976	tpff.exe
3976	tpff.exe

pid	process
2976	tpff.exe

Drops file in System32 directory 6 IoCs

Processes:

a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exetpff.exetpff.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-A55BB532-958B4A9E-F22869DD}.10037009152593965641	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-A55BB532-958B4A9E-F22869DD}.Metrics	tpff.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-A55BB532-958B4A9E-F22869DD}.10037009152593965641	tpff.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-A55BB532-958B4A9E-F22869DD}.Metrics	tpff.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-A55BB532-958B4A9E-F22869DD}.10037009152593965641	tpff.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-A55BB532-958B4A9E-F22869DD}.Metrics	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exea48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exetpff.exetpff.exe

pid	process
660	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
1104	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
2976	tpff.exe
3976	tpff.exe

Drops file in Windows directory 5 IoCs

Processes:

a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exea48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exetpff.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wow64.job	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
File created	C:\Windows\Tasks\bkqtwucddbxvwrppnjh.job	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
File created	C:\Windows\Tasks\wow64.job	tpff.exe
File opened for modification	C:\Windows\Tasks\wow64.job	tpff.exe
File created	C:\Windows\Tasks\wow64.job	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exea48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exetpff.exetpff.exe

pid	process
660	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
660	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
1104	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
1104	a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
2976	tpff.exe
2976	tpff.exe
3976	tpff.exe
3976	tpff.exe

C:\Users\Admin\AppData\Local\Temp\a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
"C:\Users\Admin\AppData\Local\Temp\a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:660

C:\Users\Admin\AppData\Local\Temp\a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe
C:\Users\Admin\AppData\Local\Temp\a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f.exe start
1⤵
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Windows\TEMP\tpff.exe
C:\Windows\TEMP\tpff.exe
1⤵
- Executes dropped EXE
- Deletes itself
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2976

C:\Windows\TEMP\tpff.exe
C:\Windows\TEMP\tpff.exe start
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3976

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\tpff.exe
MD5
1d2e0c8bbbefd663e8f6f45534ba4d99

SHA1
82f642b063655ab32c5f0f17f7adad9b9b471702

SHA256
a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f

SHA512
221ef6738f6c4ee8e2d8287004a5874ee6e6e4435d08ec7660725dea0f781b5363dd5885810e1175984e8839a211b4034aff0f81b9fa02c7dfce2d174458b082

Download Submit
C:\Windows\Tasks\wow64.job
MD5
f400d29fb9b3a2eb80ec785524dccab6

SHA1
268acf2ad083cb46f42431140d6ee87c72744335

SHA256
c68369e9d9097d0ee70a3e077376e5c9317b305b54be7d83ce7e301a85f4c9fc

SHA512
d718c0dee5220ff2b37f3e57fc96bd14d26ce2964888afcd8702bcb694144a34574db9a7b30be4534d42f9006aa8c54c9ac2fe7cf32e9d8be56ae50c064bfe7f

Download Submit
C:\Windows\Temp\tpff.exe
MD5
1d2e0c8bbbefd663e8f6f45534ba4d99

SHA1
82f642b063655ab32c5f0f17f7adad9b9b471702

SHA256
a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f

SHA512
221ef6738f6c4ee8e2d8287004a5874ee6e6e4435d08ec7660725dea0f781b5363dd5885810e1175984e8839a211b4034aff0f81b9fa02c7dfce2d174458b082

Download Submit
C:\Windows\Temp\tpff.exe
MD5
1d2e0c8bbbefd663e8f6f45534ba4d99

SHA1
82f642b063655ab32c5f0f17f7adad9b9b471702

SHA256
a48239f5b38d0ac9c388fd2af94f9c510f1f3fa241a2a434c6ab453774b70e2f

SHA512
221ef6738f6c4ee8e2d8287004a5874ee6e6e4435d08ec7660725dea0f781b5363dd5885810e1175984e8839a211b4034aff0f81b9fa02c7dfce2d174458b082

Download Submit
memory/660-117-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/660-116-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/660-118-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/660-119-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/660-120-0x0000000000790000-0x0000000000797000-memory.dmp

Filesize
28KB

Download
memory/660-115-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1104-126-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1104-127-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1104-133-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/1104-128-0x0000000000810000-0x0000000000857000-memory.dmp

Filesize
284KB

Download
memory/1104-125-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1104-134-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2976-138-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2976-140-0x00000000010F0000-0x00000000010F7000-memory.dmp

Filesize
28KB

Download
memory/2976-146-0x00000000006D0000-0x000000000081A000-memory.dmp

Filesize
1.3MB

Download
memory/2976-139-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2976-147-0x0000000000830000-0x0000000000831000-memory.dmp

Filesize
4KB

Download
memory/2976-137-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3976-149-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3976-150-0x00000000008A0000-0x00000000008A1000-memory.dmp

Filesize
4KB

Download
memory/3976-151-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3976-152-0x0000000001090000-0x0000000001097000-memory.dmp

Filesize
28KB

Download
memory/3976-157-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download
memory/3976-158-0x00000000010E0000-0x0000000001142000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads