systembc | 10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28

General

Target

10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe
Size

172KB
MD5

6047ef3dc3006268a9406af1a7be63e3
SHA1

57602f69a5e7d855643b61e80ff32c1947cc6d64
SHA256

10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28
SHA512

1e2ca97ab3e0edbbc44c89e6f854fcfb78a9b8927f8b970ac2971aa58a4011ab1cf1a66bc8efbfa60d30dbdd45df538e21e89ef876b410c1d66950ce8a4a4613

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

C2

dec15coma.com:4039

dec15coma.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

crea.exe

pid process

384 crea.exe

pid	process
384	crea.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\hjgrsu\crea.exe	upx
C:\ProgramData\hjgrsu\crea.exe	upx

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

92 api.ipify.org
93 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
92	api.ipify.org
93	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe

description	ioc	process
File created	C:\Windows\Tasks\crea.job	10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe
File opened for modification	C:\Windows\Tasks\crea.job	10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001800080DE7F9A1 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000f4ba089120895e6133e5d9dcb7eb4de5c7aac840587628407774e653bae7cfc8000000000e8000000002000020000000be1567e22dd694f987f9353d1b3875258614e75dbb633ad31944eada7909ec93800000005c87b801f6452ba221386f49189d7a4fe35e75a5a8971cba643838134122cd0ddc6cc7e1a302c978f1a6d445e0187f30a0b0709a0c96b6ee7272e89fcf22496cb355ab18b9b175efe88619f4cfc859c6d1c85cab2d8af3a1a023383edcae7001187d0cae52641a86611f4ef5b08b494283d910101463fe4df58e166bac7c96e6400000002e4bdaa947cc87c770451b232ba14b0fcbdc890ec0e99dcbd096f97fd83123432dc6aaf885dcd6b3240c16e03121d7fdb53a9453d41ad0e7d9b809ca6f275dc3	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000af089ba753398d3c9c81b1bd1c4b4d55488db9e688ffb5e967aefa7fbad22ada000000000e8000000002000020000000a347a6ef142a01f7ab053c0f284e4fe1f6af5d35d12c79e93b12de9db25e258e100d0000423015e93cebdc022908a3f1eedd3c01485aaa8a8dadfc2d1825b715443092e6296dc244fbb80cce1d80895d9ef6ed88612695cddccd8c9183364a7974cc8bff89c26ade17c2c89e4b23bfbda38658ddb325207b089077f2e1bfbf2c08e46fad43a95f93c54cdd8fec7791876890d716e1d8cbcbe83db5e1e22ca1b3beb02d4f2c430703b026a2acecf7472d9e78964133249d25463496102a20454b6a7fc1d9fd1ff868c91eac52d38db3fbf90c5ac30d00606a20590f980edbc319a84d8ad9320083fb8ce0a5c22e349143a7886f9e6c0069c8324e5705ec9255f04781b8446b537b4a72f953ef73b90c02688d15474165b07d07fb14636f0cf7a0915484eece274c5fdb954cad9153b2312fb600d30197538db375dce5e0f1afe4f5ce396cbaa37870dd03abfa2609f40a62f5291be7390f7f0741edd283362f966daf06068e3add9951e41f06a7bfecd4e3b1c5518d90cf366d0bd2815c084721269bffe5c5f414369b18cf33cba1ab99e55420adf75d5bc0c5d692c32c0e2df2a0bd19e73ace431a5dbad3d6f24ce6a072b2bbf462c5cb8e5d3f4d1a8242f363d5da0daab2d7cadf977738968282902f617c256712389cf5e1e8837359911c45291283c2e53488dc2500380c705abf81b9c7087afd35bf78da849dbcc5df03d53f83da8d62120cd4924e31af41993bd0dbaf43e864273fdb1743ff89130772d7cc6de1376126f55dc710c94e7be9c4f9a0f72bba4bd9373e098ba670fea98142734bb10f131311951f880d2d9b582e9c64db24f1d5f9325bff62befe4efbf9d8704d7ab79db01d8e7e9a192b593118d7bf55f7c669acb822e7ef1c34de4db37b3c74968a5610ac602b1bb3e17e42317532983960165f456ec46a333f199cd8b46e3a929990dfc89c455e393ce4afcc9d32b4303d5129980990f7016e9b710fdcff8df28402914d57dc3e2af6ad13e438fb8192c944ca2dca58a8b6b35217f9adb2384dab362a3028fdc3ef649851cafe2162f72cdfb75111d0d98cad17b49a472c1b96211e3bed31aeee31b9618f3ffc112bb7c1ed1bb2a54e26c8f29ba680a461eeb26f557bd95fe61cb759f3bdf4650a5ca22bf8013764cb8d2fabec59f81cfc2431d4f8873abe078af544f0669d6ccffd8e612364a5f5d03809eba8ab1f95d94d088f278b83961d68c03f1ac3d9719bf16efa416551247998f0d2c0e1aaba9f90c489205ee39a16130c1262a3370c7e7b5da12c6038289435fd2cc1beb3dc5ab1a93492c3a69b435c0f4188d242bcd70e3856ee9a5f4c89f23aab68c9adc1b45ca38dd38c2818d833ced3e6592959c406831d22a59d7c5f6c508dd09a772876bfb77c4d7b4e99e032fe914ef2780f0dfc5376626f1fba564045a096a22490fa4fddf85b0e05a743540f92ad03bbc701966b6bc87971ec7ba20ae9328a2e232eca48e3e7328b1c558560abd2296ac07c4eb3adcdbf6fdebdb25631b7a9b7857ba597f026fc6ac15e7b9587c90f8fe34890093485751cc4721169f44813cc1b99f7559ef45830f689366cad664968affdc175bda18a1b0c62ec963a4647fd223d15c11cece364ca44cc5b8f042d1c49fc56d814d4944a9d4d46226ebd412ee1fd0d67b59ee7369950e32823553505bf1a269fdc33483f55dedf12674b537ab589e6e52677e43a976e9c5ed8b1ea3a25ce8046f992d9c8f763e1571b8784f43786cd79fb11416c34671cf07e55c731124e3b110beeb5d59f27be4173528c84b88075c210bc2379f4e49e69d12e26dc9149476dd30e64dc24d5ed5e01802193f5e5a6d0229b8ebc270da0a8db72d46a0e9dff2b0be5d71a70dfe05918a8876c315122235a76e6236684fbd5cf639755bbb563aa97f4c1ecefe48008d0eda68ebcfe7b503ee4ea5cab8a8155d9522a67a1b0ed30338b79990d4cc408a886f9c60bbc34ec6b2e5a72117221d893d8c257105feda2159cec5b1794d06a3dcce7de6f73091894996e93eb6414913aff86e554f46b76b9f58f6b023a1d59b05522e8195637cfb91d7fa1cc553c5b9c55e70b4fe46aa1ca32947ed5ef59c2d64312fcc6a87545d8da0afe67fac69a9d84616a0573e486a33ba84b4c84a080209619b96818457ffd67fa760cb13aafa0aa3d496ec24617c00ba07baee678f39fe3eadf4d54c03371c7e7a00fcb71733b94ae3182bb8ae1f08fff3bd1a4ddb9d84c665fd33c50d4dbb628bf6bc2639e136a8121fa442191a60a879cdf8813a9c33c1418b94288cb280afccb28c9a3fe156e6174a42ed64ef163a027ce816402a8e6f1658c45042b2ebf5ac33cd77da612db151621f2a9de9230cd1ef7bd6917af79b5f6f871d0d20ab8eb119c681bd6244c4412b7a72b33f3e75983d1f4a8d5f1f81c8e84a12c68e9fe347dfc0691919576a3f5be3b68dc5d264f007f307762b28db8317f76750c0e97346081c76f51f1011289b5fb95614a515f846619487055471791568f22c1358c54f5bdd72c51f32a14d240565073e25587f6c4ed8ed8b92b241d980cc53f3cead9b797417b9af3091c37f1c200899e4d18124186ede7a64e37992fdcbc7664840d7ab5ed9326cd88e458c2dbb6d541a7ba32fd881ed9b63ba07dcba772ba1ec296a005d873c3ef9d4da6005feae2ac59ff6ed42d81284cf771e3f24b48e1e2af3f3d0e951f824f17db3ba7642b657ce351c4b58904a3c185474ed4ab5494934057a1c7841ecf17a888fba8eeed1ef5bbaf93bbc9df9fdd7ec3569779b0128b40e5c44044d56821409ba95dc674a2381f10f2069c494782585d86c02f448a5e79eaf302ed89a39ed8bfe37ea5b363e1df3a0498e7416484f3bf27851c0350d633fbc601f4c367623fddd80b98eabdafda770ba9a393dcc910ed1a67738edd30c5af19920769e7e58db49008d5c4a930447ae87b7576906ef46c66c53c3e4fa5efd08fd18beab74f92f92b3544719d97f42acbd52825c6415b6c50d454895d664fcdd7fc8903ee964a83b4ce13a4e334dc323fc597f7c7b1deeb9cc710dafa5000c055b568e5648b594c60b6f36ce242991cec33a8cc85b16274fdc7b6df32ab80ae3854d3c676f442fbf8e9faac65d11afa998627c2dfae9cc810d72c8a397c2c6db9aad24143ede654a226ab0e960980928d4fff2de4fdfe38e52781ba19dcb6cb8dd5addb1b7b1d347c663e04594cd01fa86dce67dded5a09dc6ec02a8c52a49d947e7b9027fb293d1f0c83f1f47c702a617bd80045577ab13ef20a9c5a55bd8bad447471071aeed61e0cb27d9180e67aedc87cc96eb48546d3dd89fdbc5a82e49288345b125ca2659d6a5e2e36b510b22f650704d46f0fd748dc76c0b58657b37793d4823dbe20ebef8fd7cef33afd3d4b95e84ff24b9a600445af2506a80858a58610cd2cb956276658994090f187622c2dc99fd21e0e0f6beae2c1fa690e23984b7fcc2e2f64ded37803a9164fe426cd79dc3c1634059aeec2cd868879f4c4994a3d81088a9eaa98946e83bbfb8571d8f61cf612215654c894c80413866ebbe1b857b8727261bdd42564eec54227cfe0008106197fbc561c1fe7d66be4ed6ab5ff11d514b8ed50a90fa0478e6a270ec347610de52b69d249b397af991c2dd813d65ab168daf9273a8a88e4276ec489d402a28d0a4fabd42a194f1e1efbd488fca3e9bef3362494952d40a4bd95e6c415f3fff87e2ac381757026541503d61a80846f80081432689f61a93f2bb0a7b6c857dd3048313829d63ca81c318acaa8ad58bc8ec8886a0dd4b9278e3a07a162f21ab34c9be673fd675688e1ff0105487710182592e64c2ac37df0d141339aa62dd6ca8bc926179db0037702e4337cfad96eae78ba3b079d17271c2140f4aa73034b8c0752d6786184a53f286b816b905b6c2aa84c5cd91d6e129c5b51c915f42cfcee800f2d9a6ad2cfdc5880db298a39c5643ccfaf0aab4512618433a87835c83a5bc91087eb104967a8f6746f3d0be2eae809e5fd3924349f076fded5ae277bc3cb9bf7ad7c384f268d8aa49a512db1c5873a0b093201382b9c5194e7953608951e66c80d3cadefe9df38cccdac63b612352b493b903146ab0ea0b7d6bfaeccb16764ece527adef55b846f3a1b5d3b7042eb781e955682bdc8d55b2532081d30d1fec60587d8c30fc03b93f7e643d98dec140d2d5fcd3fe0c07ef5ccaf097f2d69526d10ac4cc514087f59034fa3e323af5792ede011d04cbf9c3a5b22c1a6aadee2d36277e99a29ff8ac33a33bf38d08f1dadadc81b16c58c3f3b3e803f9b8534539ff5cdcfe381f66c8d2ed02492fd2225a905c927e01d3667d246fa8291f9397f3f92c8f78b1a439210191b8f39e1b97ab0a0e558555a45374c65356906504ef85f957281860d7323d7eb37395abe8fddcb3056f7534190e8083ed595a6ea67d934f2ffb9eaf505631b2cd87191f21c7f7ccefedfb9d4cad7409d49e66db9c277c03351e5024b06695065469d5929003db4f4b173622c33da5a13399b0f3eae8138bd9cab4376439c34299abf45705ef5e6ff6f8f3029ad05083dc03077f185abbcc3619842c33729b19744364617edf7b23c19c605003f268a3f712b6b303c9e453274613f269476be5d9c490addb240d285cd6279f6392f636a44c94e84d2a5897fd7d436398cad48aabe7c96ff3f7ef5dd1f7b966c8dea2d9e8dedea4731d25c6258affafc92d03f643d48cfdb6f6db8f1a841c2e231419f1d740000000f46309b07466cf5ebd057b687016e4585d35c91f1605ee2086c46576eb0254a193ef7fdc676927ae839e5343551ec103c7b7319da32dac2077e1d31ffcdcf905	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001800080DE7F9A1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe

pid	process
4300	10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe
4300	10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe

C:\Users\Admin\AppData\Local\Temp\10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe
"C:\Users\Admin\AppData\Local\Temp\10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4300

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:632

C:\ProgramData\hjgrsu\crea.exe
C:\ProgramData\hjgrsu\crea.exe start
1⤵
- Executes dropped EXE
PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hjgrsu\crea.exe
MD5
6047ef3dc3006268a9406af1a7be63e3

SHA1
57602f69a5e7d855643b61e80ff32c1947cc6d64

SHA256
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28

SHA512
1e2ca97ab3e0edbbc44c89e6f854fcfb78a9b8927f8b970ac2971aa58a4011ab1cf1a66bc8efbfa60d30dbdd45df538e21e89ef876b410c1d66950ce8a4a4613

Download Submit
C:\ProgramData\hjgrsu\crea.exe
MD5
6047ef3dc3006268a9406af1a7be63e3

SHA1
57602f69a5e7d855643b61e80ff32c1947cc6d64

SHA256
10fd1c7aabf703640bf16c35aed6a1507efbf6da46ab534d12b911fe307e0b28

SHA512
1e2ca97ab3e0edbbc44c89e6f854fcfb78a9b8927f8b970ac2971aa58a4011ab1cf1a66bc8efbfa60d30dbdd45df538e21e89ef876b410c1d66950ce8a4a4613

Download Submit
memory/384-140-0x0000000005465000-0x000000000546B000-memory.dmp

Filesize
24KB

Download
memory/384-141-0x0000000005465000-0x000000000546B000-memory.dmp

Filesize
24KB

Download
memory/384-142-0x0000000005290000-0x0000000005299000-memory.dmp

Filesize
36KB

Download
memory/384-143-0x0000000000400000-0x000000000515E000-memory.dmp

Filesize
77.4MB

Download
memory/4300-134-0x0000000005349000-0x0000000005350000-memory.dmp

Filesize
28KB

Download
memory/4300-135-0x0000000005349000-0x0000000005350000-memory.dmp

Filesize
28KB

Download
memory/4300-136-0x00000000052A0000-0x00000000052A9000-memory.dmp

Filesize
36KB

Download
memory/4300-137-0x0000000000400000-0x000000000515E000-memory.dmp

Filesize
77.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads