systembc | 4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

General

Target

477079b5846088b1e126ae08735d36c1.exe
Size

227KB
MD5

477079b5846088b1e126ae08735d36c1
SHA1

8f26d9582fa44498f7a6abb17e45554ca115ab79
SHA256

4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24
SHA512

2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Executes dropped EXE 1 IoCs

Processes:

vjadn.exe

pid process

3272 vjadn.exe

pid	process
3272	vjadn.exe

Drops file in Windows directory 2 IoCs

Processes:

477079b5846088b1e126ae08735d36c1.exe

description	ioc	process
File created	C:\Windows\Tasks\vjadn.job	477079b5846088b1e126ae08735d36c1.exe
File opened for modification	C:\Windows\Tasks\vjadn.job	477079b5846088b1e126ae08735d36c1.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\00188006BEA999E9 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000eb87e56ca3948d82bfd65de9f68cff5fea0e2bea5a0990999157cd8753b4cbd4000000000e80000000020000200000002997620379d929faf573bcb11255b62c6b5489914135df2da2e79cd10d7eb61c800000003975e06e95ce7243ededf48b4fb5a22dbb4780450ac036454a15f6edf0e93fb6db121f2b66b1ba3f01884ef9e5b50731f1936cdcc30be52167acb45b800365a2811f545d626526a8c1fc963b712b030ffe6501aba96ba05e9fe166ef60b998601f96e6c121fc78c523acad958cb8667c9040a59dea74427d4395b7e593c11d504000000036210585f08628d8bcc56661f68bf5bfed7327a49c6711338b8b11e194a887d17ccd80c3b5318c64c96f5b7054aa2723a50bb62449d75ceb7bcffee93abbadd1	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000ce7587561b1486c4931caccfaee4f3c7058f22aeac13d939220c832596e8dc5f000000000e800000000200002000000046a6ca1fb4411b929d7e051d3d1ed281fd64cd46bd6fe3045348939a2123e9d5100d00009c2cb1b5baea3ecbaca8518d774c3c782da774761b0e455130573693f71ef7e7c899a9c8b8a9a932df0c481032376ade3ee50cb7298f37d4adfec3f74c1d5c60866c4bb745de2bab745cc5e0786a0e875d54e395c0299dcba6879373fd139b86de631f3164f759ad6ab52853209a7400536f3d7751901ea3fa55287720d7869a871fa48df9909607f7e34286f8e428156bbe2ec326f8f213a1f4020b380a4460a5d2d9f07c4f70fc3a65cfec9888ad69793e12a9f0045b3efa5c676701b562f90e06242fa39f990556dc17508c05dfaebc05e79debf8291c3ad4a3c7b2b85d7302658bcdfa402bbe28ee932d94c6240179c4d94b2fbd2a45cdea80db33772fa16eaf7073dc4ccf2d7823aaf9835485c8ebbff42f13ba2b06ac37e6f9819b3c64ce0ae16b6f98da5c96e7a75fe2c8be555b1b8360e4dbc2f104620105b498f80042ca1304661aee999d97f5d4066c470f5ad5964ba517f68d842f474b9101a5c329860435178f2377676a7e9759b9d51fa23f7d64925871e32630cc75b994732c30a1f9f707fda430e96ee1ed81daa74abb5c07bbb4c893f061910789e7793bcc0cb33d97658d318a5b53bafe65e1ceaa4fa6c062bcd56d07695f9838921cf0c905a254bcf99a19c6317b921a4d9e76f02caa24136a3b26939e308e27ec2eb84a75be28871bdd560083f74574b160bcb00f761277f7e7ba975294582edbc0ab6d91efcf7895a3f0ebe821e27395d125043f33435317025d1742b97fdde2b644c8b92f6d1b393aae5b29434422dac0dd402d84331cbf351d9f09cfab8fbd941ce0456a4938e9562f826f9ca58c2b4ab67457db3ba9a23149894d2520a4499a9c11456ce81642d18f71814f0d6ff9590d2c009d1844decaefcbe24101b7570c710395b6950db25695d41f8366d04c4fa4743882fcfabca1d987a794afb3a2a81a7d2b7ce0104201a6a5d715580baf85f94ac1848d8fbb315d505ae7186914d9358309070b4fb88827a3bbf736fdc213e81d6315435fece2dd3df065aa7db7e612654a716099372aa680b3f116590801e65f7099b53580324c637128f7f831e768339930fe7407f5af9afd463f53195a5450d0303bff76317e09c33f62928c5a8630f65169c4fd857d26ecd30d236f95506bca8771b4ddd824d2f6e2139430d7eb98479d19ea3f25e7235527f3cde8ed1fc91fe97ccbb6e050fff18d239e580dc25510582ca7b8013bebdb9d28be50d137745f378e79bee6523c39132530c610926c8fecd5cebd4ed0abe10bae6aee4cbfcce8a806e6352129a54445f84cf1a2ffa57563274ca089f535b0277bf9c9f4507067d6b435b8f547fd75901aaa8842a42936d6cd55452ae1a93bca2c316ba5cee164230c4cc5bdaa6aa6e527f77a36b6fdc7f7997a60cf25510080c447e91bedce847c4cc2582d6bb172b0c8a61cbef7bea30206728fd8949b3a6f4f98cfda013acf03125448f7d28e0b6598671e44a5b3c9c4951e4712d7215efb852ca952dd52a0933377fc35949c44ec7ac2b37edeb8b086ec04b379900b275c8741598031a9f7f026697caa5db0c4fd28d912f5d29d4fc05742f323e6c47993420eb384c9a35918ef18bead908ee4c5c3da200130d98377a840fc2c31eadb7e96f0e7f6ab3437a7030c9be89f2d7e334fa83f4e163acf14453f70005c70cae72235b6f657ecebd67aef73901a68aba476f5ca205c2ba1d02d9b7fc3918edc326ba45bdb51cbe0b86cd8d054fc4940ef355a00d490b4a555c6481a65910334f259096eb875f3c5f31876e0daee93d7ec2727808947bf474b6addb980f6c0509425591491cbd5378d3890f8c8361b6046541bccebcbe59cadc0c92c39c952810f00caed22857193c8a9853fb599c145dfb505c616e9e674d60972e1d759edb61ba4c23a24a0d41ffdaf081c88f83adb0898f963c4f01129fb673191198863faaa6ed0d71f22e2e317156208a793a4bd1342916bd0aa4eebf010832b1f47d2e93aa16c1bbc44073b975c96558bc7907b19e550f7e25ed3f03285d8454250ba9b1f2d7904d03e00cd598747bdb283f81f242e09f0dc94276a070c0767cbd3ee5dfcca8d30c9c7e179c3c25d25dbcdf579a7e558eb130640a1113d77b88f6acd3286f87d342e5671b4beedbc43cda35b78b126e22b6b2e6dac5f99425916b741b38143425707cd71d4ab40246684bd710b7b25562801791324c21dab8881df4b3c68821116753a388818b276c479e82b61e4781d59de9c5cbd854409bf55a7a306dd545bb0c895859c987fdd9c22860aa96d499cdbe4477a8693a231ed98f0df0d2d931cce85097fcd2b76939afffe7489d423daa863bbfb63d56200d21f649dbedba8ddf9a6eb9ceb9e2ef15f0fb39220b10cf1e044b97e32613bb4f540a5c2c76064241545b24e634b015a5ed934f3e3535af065098b5b23572a3c3fafdacbe8318cade1891b7bfbfb8bb09994083789c92e90cc0fc43fc40d1ff93e41b3c9192d36b6d6a2266641bf53e4038bdb7b5f4adf8d6641e0b86e9a10d52b4b30fd11c0966b3a3d673e2d322d0219174cd98ff451517df890e80554c446634d37979318cc758c33277455dc46fef59611e3363921312900ee7ab40705f916054d0742a8be858004ca221214f99c94625f922064e555957227be766191d28ebe40e8de347070c1d5e24e2daf3b43a11d227cce94d673672f66b8c28b626eb52e9a5203fc841e5ce28a5b90411ca829532485a820b517a004d870fd2243d93b3fc6569194c985f86127b5fe144f704c2a976c67deddf4b5169fdf6f71ebfa655c31ad0163960aa746d474e8b0a7b07a789f441d99700820a8eeb809968250c3b5c958225036be883b4a3338ae53ae4019a73777f4bf83ccb271ce2f5dfa320f17d2876220e087766502492afe85a1aa26777788eb39af6a2953019654943427d583b984ad5441903157b6aa3c45e06de4ce05d613994d715185793276297080e47c8047eed6867b5d656ef8ce58abd0e9902e6fa3cf933c961d009dc68e80cd11cb2ee138fb07ae507c27651f5b46f12b647ec51c080b35772586ef7dfe4a7eda5a68773310068a19d858a77c51bfbce8913be2669505dc45d247527f566e555c07715181b1cbee0e007e5a9558b8acdd8843a0b0bfedeb9893fd001b0366222cc0639d0d524d5e5cb88e3a1b57d7d152f88e3a6a4ec662176b00dccbe1f43b1741938d23f70e3688758c25be7070043e1a6513045b5580568928ebb2da12ccf5eebf40a6eca92082d57617303965f32389ea7f62503011d6d3400df8ec9467dddcbca32ab30caa069cb5bd9c35bef9288110340b65ff249c7833592d0e9177ad925dc782bd3b597f824ea38ef8ccb55b3679668b2cc7443304bb965f55eb51a97d0014b2dd4a69957462dcb46ee8d173ed70dc178a188e652fce4d9d4f3d5ff18e56e7ba5d7a644fcd0b5db76a2b693b6e015598d6833194e12fad018ff4ab042cc9a133241bbfe6f7c910c6bc95609687386a569a8351a5f51eb59ec71e30037c81035da81f1991929da6f0acd089dcb56f42c7d5f790138a79ec9e23634718b72edfc5adcaa699593cecc871a1b173d93e1f3aaff3c6f7a429ec8690cfc3740080fee205f273740ba01e419a4506e37df37529f78a7527684f6782f221c621e3081d57d51544592d0a2ed700a7ea5678984b2955b423230e1a0cbfde686e2d15c418e64f2dcf94038a4ef7ba5e6574039cb76439f8c364796d5467fb5a1bf88263a0c3e58c237f34774246562f3aced4bdad77d52c50602f05c29d15d44f3325cdd1794c316d0524e41ca2fb78b633c9d29b5b3ccf7f84c3eebba9fa6c70bf17deaba5b725fcafe49800e74aa27212dfc9bf9ded1b920c3e303faf9dbeb90f76b670dbdc8e57c27c776333ecdd362f9772f0259b6c676c08817d93a3e1b67f663c4a6ea0e0c972983186537d6121089b787d2520cb403748db746c2a48d39d850bf49b971e918bdb1d4402b3a5b46eaf559adecc9ee99bca143ca9c6d4ec6d38b4467cb6d9ea4f2b31fafeb2c854b9a50f08bf6c8caf2649fc1ab914ddc0a5763e0cae58af21faa6aa90b877e3ca2b497b560770fb76a386fa0caefe88e01cc82650d9a094ec5af1a529b5ac372abd49c8573de6f328ca3e1517e8c97720dc1653cf0b71250a1e5fb7581c64d154eb215fdcb5c5c596bf891dce923a5d711048e7a643ea84f2a506dc1a0f39fc776bd573395c644aef6a6ac06fc006097520c762af045870d64122480438d3e8f7bbcba0c1fba790e05398dd6690c1c4411965a35e3bc8e8a32ced6ef7ad7fd7e6606ce876fa1590798b202aa9ec2a30cca398515203a189b086e1c8e3a3d301fa538696b129d4cf955a9a77ec63050b4ac24ab5887e58dc21c3007fd0e4f5dde00e045b8dfa9c339c6fec863dbd71e0bdf006e0659589b4360fc6a8c02bab7b67a9e543f3f2c1a10275e38b5a9e23f52a1d800b7006e390d56f71732086f29e002771b09bf37dff83562f9bb430d8b3c16c00c657e3df139364c3535d345f1f232115ae81252043807fcc8ccb90e798fcb55661ae6ee51bbd9ef47a29ee8aae3fa8b0ddd5f65b6ba06e39e3e6a01b4a22267791ffba1de665a9385a76cccfcc630295af86dc34321f1b1674705ea01ef09e158e9c77ddaa623a3b327927c2391266cdb1a1596e3f7c322603b91ccdf62e048a789a9601c3663915974000000010876647e15ef4aad35626f0b85721344c1e3cb71c3183df49520386b0789e40dcf1f1b35daf64415284708073a7ec295d0d213c935bcef3762dc0e5ae288313	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "00188006BEA999E9"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

477079b5846088b1e126ae08735d36c1.exe

pid process

3104 477079b5846088b1e126ae08735d36c1.exe
3104 477079b5846088b1e126ae08735d36c1.exe

pid	process
3104	477079b5846088b1e126ae08735d36c1.exe
3104	477079b5846088b1e126ae08735d36c1.exe

C:\Users\Admin\AppData\Local\Temp\477079b5846088b1e126ae08735d36c1.exe
"C:\Users\Admin\AppData\Local\Temp\477079b5846088b1e126ae08735d36c1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:640

C:\ProgramData\blnq\vjadn.exe
C:\ProgramData\blnq\vjadn.exe start
1⤵
- Executes dropped EXE
PID:3272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\blnq\vjadn.exe
Filesize
227KB

MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\ProgramData\blnq\vjadn.exe
Filesize
227KB

MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
memory/3104-134-0x000000000077C000-0x0000000000785000-memory.dmp

Filesize
36KB

Download
memory/3104-135-0x000000000077C000-0x0000000000785000-memory.dmp

Filesize
36KB

Download
memory/3104-136-0x00000000006D0000-0x00000000006D9000-memory.dmp

Filesize
36KB

Download
memory/3104-137-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3272-140-0x0000000000759000-0x0000000000761000-memory.dmp

Filesize
32KB

Download
memory/3272-141-0x0000000000759000-0x0000000000761000-memory.dmp

Filesize
32KB

Download
memory/3272-142-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3272-143-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing