systembc | a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da

General

Target

a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe
Size

285KB
MD5

d1cd66d2dca341712b4c6e15649d4a8e
SHA1

8cde8dd0bd6271a55fb4de53713255d294ca1b80
SHA256

a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da
SHA512

39c7be90423d291ea73ee08704024a741cd68e395f46de33d16d2e538a99f4ca58c35f998376814203606e634121fd973311a9621b77e0ab66afb144db32d1e9

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

aplvkp.exe

pid process

3896 aplvkp.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

373 api.ipify.org
374 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
3896	aplvkp.exe

flow	ioc
373	api.ipify.org
374	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe

description	ioc	process
File created	C:\Windows\Tasks\aplvkp.job	a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe
File opened for modification	C:\Windows\Tasks\aplvkp.job	a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3416 4936 WerFault.exe
4296 3632 WerFault.exe a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe

pid	pid_target	process	target process
3416	4936	WerFault.exe
4296	3632	WerFault.exe	a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006BE1393B3 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000020ccc98a7c274f069fde1145ca7a6d7f213c040cadc1690d2a7abcc245c5b7c6000000000e8000000002000020000000f4cc4061781061aeb903b4d628e47023a5be3f23a980c83aab266961474de0be80000000964720f21f3577e343838bde2527a53558b8dbc5fe92b87826e00751b2e9a8a4643b923e30bdcbb9f5f92225d2e09ee4cd247227081b05a490d7fdc5ed980f7b054e0c1f1c7c4a01a28eb1d2c63df6f0304436250f465a45c013b3e5d65bbbfb5768de1bcabdf7e6ed8901f54fea1c54fc3cc71454e639be3f88b3988c3a02724000000087620720398bfea12acd0d14b54f864a8c0396b9b7b1a23b2e55d5d7534e56b4f0caac9bf5060cf67a9e8fefee308bc8b66e1abb2ea299572cc52a2147d7e030	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000a622d7dec47f2ef97cca6f1eb764a945890f9e04e2bcdfc6a01334e1c4a3d9ac000000000e8000000002000020000000adafb66a3e8c78d5bbad27e91bb09ad82bb4fb37243bd85caa98434da1803c04100d00000ce674e2dd300e47b0f3c519704ea29d771d730d744d39c7e97ea4ffc498118f888980cc4103896abd6a60d8166362abc11a7fa734ce8901fc9321b4c565b18c7230f0ab7de8d21df0cbd45c2740db9d4eb0897f069cd866e40e2234169e191cdbe81d09371ec7d4cad897074cd300a1e4bccc9fcb89e1f029faba287f1c2892d69c1faddef693acfaef2920b3e5d86fd051042384966d57bc5d4629ff613859352ed1e5139d14efd06cad83af832df18e2aa1d2d11841231ebee56c692c29bd2f7f607ea25505d2091a31d850c3a4b27a9ea7bbe28d1e2b68d94b28e834760fcd78db5cd001139333ebbed41b9e29b7817cea6bc0dd70c427c6db19fc29d531f77276a268c50cba1caa01eb9f9cb249240ff101d4990252d5462bd3cffe56676bf95bc954f27f08767e60ea586e6ed6c3c8e01d782424f5d7d4cd007c1c40c98a4fc4b8eb45f7546f12eb4ae1bd913a047581a1daf0d5f0cfe2ef6f1c1ab340907683fb37a3205f6aef7691c2af6c1aa05dab8f569b89114e6d333f990e9581f160ee134863252bd7aae2f553ce0306d6e62dbe5521aa7cdd52562197bd3730dd01cfaeaab20dbd75caf6f6a92a8676bb231da0cf3c52853f4db6f62e68b4951e3cdf4c137fd5a8643097e225b11fcac870bb2bf375f138cc2e147175d05cbf71a1e536c8d2ba8b38a23113446b54b13cc70098f665315b2fa68ec907b9accdcd08563335d0e4ca42e6f6031a013e6fa3578b81732628186b423cbbeb121cc9c4247b601a881126db20d7f11ce05961f1c05a626b180cf85fcbc401871a2561fcd5fa9c6e60b3c88f770b3e7998eb430b17bc242a8228b826e19a9c68c3fc34a7f892f24ff0255aa472d67cb736370689c73758e8bad6f505cacd9df064ecfc293200d3082a8658367ef61e0eb04f156735aea63c4b7ae3f992a5ce1d3fea07972e245edec094669fd305ddc734544bd8c1d50e65cafd31329e1546decc88e78b9a718389210fb5c743d2116b2af8f2c1e5e87811f8287417d11e56dd8d5e03189f2abdd88f9bcaaf673c93e4f13a7a6adca7e611f0d5e85b2af0ce34aa1ab54833ceac7aad9383c3449ef2a734b8bc28e60e251b6844576ef005c66069f74e888f574f86028542482821f3842f556f93532c51e28ce5ee6f67295d9391bab7dabc039d766a24bcfb95c260c31af59e92ce5c30dbb74a2238fffeaf8a9df6e60c4658bbc246d8406963412f3248e222fdbb4457726ffbf73b5e56e1a0280b3ec216e1692edff8a851a93fee94d698ffcb68442446037dd25dd55ae7c8be8381bdcc6a1f7598ee13026074fdc6688cf9288985f8dfb8cd043a595c35ce5d810db90528520541874a84b27570eb887077588f593ba3e790e1279ec8862cdc7263cab77a6d1fd6f09651f3c1508600162e748dbe3916957d24cbb5f992b5650e01a6beec1e8541476946b742f9fad41348ef3a68d4cbfa4b51eff4f20fa3361ff1708eee5cc7a0576fa908712bdd15d9818b5ab203b02bc87388b8dc019dec4f51e449b4916603a3e8c18380d3918c9a38dd9a98ab71693ce5d3c841c40f8e8d405d2bda0332f86d3ca88582f8371052c78fe1992400eb6bc1a722bb3317edacb4fbeec4a5a7096ea31df460576188f8468f5e7033d9b9ab7bcc5a52aa489891759f0b2c006804880820d1ecfeb224e44b24466e2bfa8f933a8ce234472d0f12b2aecef7dbf9186de62f5c3f86fd198813c99c153870f5caa2f513a8a600011e1eeb46f8a59e801c4ae35e4eaeff76cfaf38e815cce493b9bcd8bffb88734bb52344fc850f31b904b44be8986605cbead616f76cfa1cbc364a85e84eecd525ed884e60f5ee2c9cc597d278033334b5a557f3c83f6af478cdbaf294447e9594464bf8fa37f69c2f3ed2a8273dfbd75fb29c3daac9df5b041f07978284067ec03d795de7eb1a91d631769c79d9ef430940e6063f82a5bdf89feb6f97c0ada63927e9b6f7d33f3cd636487dc78b40a8bc12abc31f8f148992bb662fa19e3e04debe0a472181b112c1f6d09e5c51aafca630923a14b649fcede605695d47919d5f754190559afa67698acf585c8a748a8b993058849b1dd88e1c4d71d7fa3229e809a46aa47ad30ac028ad1b86ad78c7e4daf5bf8ac4f992e7e6be0872424f4e13430acc53ff563ca2278c09b581e9380607f1a2e667199a97084bfc5928a2907988c94dacf10c3e0f158669d39a836ff7c83e3d00bff64f988c0483e4c9d92cb2fba6d7ede15f057aebe386c2bdd0447d5dd485d1cbba04d6d575998786aaad6120e851479eb4827e48f319e7f45a6cbb549d7912f09c5b35c42d522119a98b0595d531621bfbe283eeb4a47da8e92a3207c1e7feb1fdef6b17645927b0fa5bce070b9e38c2a77fbf163fe3cf7d35fbc0f36561593a70652d83d34c8176c9dcca0a4d4dde3604a719ede6c5e9d7c9b11e68425e29153b3e6cba0f282925258573e84c7c93412e693004604e09cc57bf986fd414c8764192298e217272d8de831e44f0adaaf201e94c2f9b2c48b0c09895749ebed1763d7ba2bd875159e7c337cf61a54bb126db3612ef55a5ab04c34eda37dbc79eff2510e75b878b5898b37fccb0353c769efa14a02bb3d8cf5cbe3953c49a6c163ba054357c841b79b94b284268af9e1f894c77eab5db692fb9d79e054cd98561a6d446f7f90dc2c0d11e37ea7024e28a3c268d12c6fe5c082c93043e587e2bfb9f5d8fc60bae5138a23b8fa86aafda76da47e51baf9a5b87b1942f74c7173f50196c054f7981302b9892074c7f4220d274f0fe05665628e61448a78272222685bff7db4fe8e04c8cf3b19d05fdbc6263ea6687e8115cf0663aea8ff08ac33d81754c58ed59dca72695318db2b5bd37cfcce725f22931067774fc727dff23ed2d2114d5c9b0fa4e6013ae0ad70d552b64ec32153736bd64461582663430f497e770343e7b30c33a1ea9b60b3ba4d736575325364c041654421809251427d67d7e8513145f3c131438afded6419fe288450df552072804852ef0c886fd5a239fac2e7bdb82bd52d9e50c7f6e084be20e790a3f72780a35ba439e2784e2ba2b740737dea70c17d911ea42701d223318ca80ec7b258a4fd30aaa9b4ef60e77c3a876a4a9917a3db5e012abd5f4f8e1b94f831ab83b0e02d55b9aab5bd30d3fb4adad97f5aad05a0793931cb84861099f78c114b82bb1cb58ce31899b25f7ef789286e621c9b4bfe4ff64fd2d4cae66590453c6db76c7cb0008a06691f20572d2cdd7d2c99062fada92c3ed5e31b33b9cb91a7cece2142cf44ea31516f60ed49d113bcb70ded32d764470d0d8216bddbac813c43501898ca5f00d81705e929187ff8cd5e9d76f37433801a0c8e0eebc655f3aae072faaa1512195148f228bad398f0964f7493137e1e63570271393ca2ece011eca2dfbfc584f5e7e161d9c7ebd22e15da771b288efabd9b65757464693485d2e311b494aa83d960ec3f49e728efa4b23442178577d036f61edc8418f6c7875113dcd40a424ae885c3daae0c9960da05321a3d782045e5f466444e4df48d3128593cbe0ab7d924725770d3e230f4c4d95217a3c9ea7be25c3b37d18607b92c44114c26a0ff29329124a3e439b2d4c0256b8d4cb9c499fe97f51bfeaaec18ab93821fa560000139b114dc2cf23dfbc88017f9d79e183faed25c45b4e7862f0f99667bb80e9836eeb5c3cd544799429dc9f01e512a5839a622e1bcaf4e5d75e9e6f93eda678fb23a9732cdbf9141b3f30e8782c4e99478bbb1cede5c1b0a20ea73f3678d0d3960a4f31b462d1fb83e54f3ba33cfd75f1888718efb4b74712c50c71dff22a859779770b3ba9967deed5d99b72d1de81d9eef61975e444515214bb008b30bcdce1920252bf8d465683d1fd3870ae069cbbdacf5346ba7ac172225119352a484b6100bf41e9f2d9b0bfc5147063f78f6786c9356c733e0a771b4d4f861e5b6bb9e26b15c154b71f6b5ef853bed90731426fc6fdbaae5abc99af3320919086517c7eb644acfa7990e53e3fe266ced0d2275f3ad08e38ecece0b1d98dd2fc6995e107efbfc6ae59cb0a1019cb2d71c65a220d1da52e115d532e9048ed294585ac6b627a271bfd07cdd079ded919e11c50194432287cfc717737096d5cf30732a0f8f7f1a5b96ff5462655a6787aca87dcbd0aecdf36de05a70e3086a7d56e681f58dc23248d2f2ce6038ac59333f2b9004614f123881d653f9274b28f20bb2530272c40b072feb9fd5f1451c2ea71e9b8f33606a21d1d35d24c1bbe67f83e255b3b7fdbf4464b1b06098eda701332c4648b744bdfc588c9859a160ce439d10483a1729033ef380edc6f773b9d4e1da81015c94753c83bcd35503739d4288b7aa4fef476990813a49d1b9ea192df099bdedafd1b83025c35de84029c989fc5f153fe66b6bb98fb95978afb956312e0008aa632eb314e5578a560c2e29d926cf8cb9ab0eff2b231f18a0ee137bede79a68c178d9bd52dfa477a3ca007e785d8a48367513a818c878676ef4f1336c7e8b9dccd8b6db756f1f1fdc6688821005becd305fb30ec1dbc0409b40f01be0888144af141d709a6b6005ddb7862a04d4e5952b004a5c98014c7f63b896541c6ccfdcca505a89983f8d771d4a9ce800f3e28d981fdb81fd8703a5e505c2f3d7380dce0c15e06492b0327bcb02352e79c46aed4ff2ec17b98a4b8032b004000000080fd78fc102a99d505b0fd008377263e73c66eada2b67419bf5c6140c09c9cb9616d2a63c76979965651c66f8f169d0c673f129e4cd82dd735138f35bed68246	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006BE1393B3"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe

pid	process
3632	a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe
3632	a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe

C:\Users\Admin\AppData\Local\Temp\a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe
"C:\Users\Admin\AppData\Local\Temp\a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3632
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 484
  2⤵
  - Program crash
  PID:4296

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4340

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 452 -p 4936 -ip 4936
1⤵
PID:1476

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4936 -s 1596
1⤵
- Program crash
PID:3416

C:\ProgramData\tmkehkn\aplvkp.exe
C:\ProgramData\tmkehkn\aplvkp.exe start
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3632 -ip 3632
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tmkehkn\aplvkp.exe

MD5
d1cd66d2dca341712b4c6e15649d4a8e

SHA1
8cde8dd0bd6271a55fb4de53713255d294ca1b80

SHA256
a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da

SHA512
39c7be90423d291ea73ee08704024a741cd68e395f46de33d16d2e538a99f4ca58c35f998376814203606e634121fd973311a9621b77e0ab66afb144db32d1e9

Download Submit
C:\ProgramData\tmkehkn\aplvkp.exe

MD5
d1cd66d2dca341712b4c6e15649d4a8e

SHA1
8cde8dd0bd6271a55fb4de53713255d294ca1b80

SHA256
a33bce78c3d2f661f520dfd920567413fdc6c9a213c3d0f6a574f0d9ffa6e6da

SHA512
39c7be90423d291ea73ee08704024a741cd68e395f46de33d16d2e538a99f4ca58c35f998376814203606e634121fd973311a9621b77e0ab66afb144db32d1e9

Download Submit
memory/3632-134-0x0000000004820000-0x0000000004826000-memory.dmp

Filesize
24KB

Download
memory/3632-135-0x0000000006410000-0x0000000006419000-memory.dmp

Filesize
36KB

Download
memory/3632-136-0x0000000000400000-0x00000000046C8000-memory.dmp

Filesize
66.8MB

Download
memory/3896-139-0x0000000000400000-0x00000000046C8000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads