systembc | fdd7069cdc8a066739331213b2076f2ca6acd0e97070f5d1e4dbd9d1b756a35b

General

Target

09a5565e828aa3da2f70b21cbc21b08b.exe
Size

372KB
MD5

09a5565e828aa3da2f70b21cbc21b08b
SHA1

fbdb5431f6373262c69715c1ce3b4eb691c16714
SHA256

fdd7069cdc8a066739331213b2076f2ca6acd0e97070f5d1e4dbd9d1b756a35b
SHA512

236897b15b20214eeb42e10a171a77cede6a7c29cc1295255c4f69c3fe53d2623fa4ebc3ae142d1fb2a28f0527d7245ecd7822f9b9a8450de1af875eacbd8a64

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

135.125.248.50:443

146.70.53.169:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

4715676164.exe9378610649.exe9378610649.exe

pid process

1004 4715676164.exe
112 9378610649.exe
568 9378610649.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1364 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.exe

pid process

2008 cmd.exe
648 cmd.exe
648 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 2 IoCs

Processes:

9378610649.exe

description ioc process

File created C:\Windows\Tasks\wow64.job 9378610649.exe
File opened for modification C:\Windows\Tasks\wow64.job 9378610649.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1928 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1928 taskkill.exe

pid	process
1004	4715676164.exe
112	9378610649.exe
568	9378610649.exe

pid	process
1364	cmd.exe

pid	process
2008	cmd.exe
648	cmd.exe
648	cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	9378610649.exe
File opened for modification	C:\Windows\Tasks\wow64.job	9378610649.exe

pid	process
1928	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1928	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

09a5565e828aa3da2f70b21cbc21b08b.execmd.execmd.exetaskeng.execmd.exe

description	pid	process	target process
PID 1748 wrote to memory of 2008	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 2008	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 2008	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 2008	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 2008 wrote to memory of 1004	2008	cmd.exe	4715676164.exe
PID 2008 wrote to memory of 1004	2008	cmd.exe	4715676164.exe
PID 2008 wrote to memory of 1004	2008	cmd.exe	4715676164.exe
PID 2008 wrote to memory of 1004	2008	cmd.exe	4715676164.exe
PID 1748 wrote to memory of 648	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 648	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 648	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 648	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 648 wrote to memory of 112	648	cmd.exe	9378610649.exe
PID 648 wrote to memory of 112	648	cmd.exe	9378610649.exe
PID 648 wrote to memory of 112	648	cmd.exe	9378610649.exe
PID 648 wrote to memory of 112	648	cmd.exe	9378610649.exe
PID 1016 wrote to memory of 568	1016	taskeng.exe	9378610649.exe
PID 1016 wrote to memory of 568	1016	taskeng.exe	9378610649.exe
PID 1016 wrote to memory of 568	1016	taskeng.exe	9378610649.exe
PID 1016 wrote to memory of 568	1016	taskeng.exe	9378610649.exe
PID 1748 wrote to memory of 1364	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 1364	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 1364	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1748 wrote to memory of 1364	1748	09a5565e828aa3da2f70b21cbc21b08b.exe	cmd.exe
PID 1364 wrote to memory of 1928	1364	cmd.exe	taskkill.exe
PID 1364 wrote to memory of 1928	1364	cmd.exe	taskkill.exe
PID 1364 wrote to memory of 1928	1364	cmd.exe	taskkill.exe
PID 1364 wrote to memory of 1928	1364	cmd.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\09a5565e828aa3da2f70b21cbc21b08b.exe
"C:\Users\Admin\AppData\Local\Temp\09a5565e828aa3da2f70b21cbc21b08b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4715676164.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Local\Temp\4715676164.exe
"C:\Users\Admin\AppData\Local\Temp\4715676164.exe"
3⤵
- Executes dropped EXE
PID:1004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\9378610649.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\9378610649.exe
"C:\Users\Admin\AppData\Local\Temp\9378610649.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "09a5565e828aa3da2f70b21cbc21b08b.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\09a5565e828aa3da2f70b21cbc21b08b.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "09a5565e828aa3da2f70b21cbc21b08b.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Windows\system32\taskeng.exe
taskeng.exe {8D2A1A27-70A2-4258-933A-50570D68468C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\Users\Admin\AppData\Local\Temp\9378610649.exe
C:\Users\Admin\AppData\Local\Temp\9378610649.exe start
2⤵
- Executes dropped EXE
PID:568

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4715676164.exe
Filesize
84KB

MD5
bd36b140501a2597a130c5d1a6105626

SHA1
ccb488217d9d32334fff09b0fb3d857e3ab4da6b

SHA256
1eeba0022aabfde029387b14ee7604186c8fcca857f6cd67d130df4248fe996d

SHA512
882f986e3a1f3e7d4598d9c74168076599518bc59410ceffb8c9f6143cd8a2cd72b13b584a73e12a67d43901891377dc51fec9ef649f032f1255f4c9f410f106

Download Submit
C:\Users\Admin\AppData\Local\Temp\4715676164.exe
Filesize
84KB

MD5
bd36b140501a2597a130c5d1a6105626

SHA1
ccb488217d9d32334fff09b0fb3d857e3ab4da6b

SHA256
1eeba0022aabfde029387b14ee7604186c8fcca857f6cd67d130df4248fe996d

SHA512
882f986e3a1f3e7d4598d9c74168076599518bc59410ceffb8c9f6143cd8a2cd72b13b584a73e12a67d43901891377dc51fec9ef649f032f1255f4c9f410f106

Download Submit
C:\Users\Admin\AppData\Local\Temp\9378610649.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9378610649.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9378610649.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
\Users\Admin\AppData\Local\Temp\4715676164.exe
Filesize
84KB

MD5
bd36b140501a2597a130c5d1a6105626

SHA1
ccb488217d9d32334fff09b0fb3d857e3ab4da6b

SHA256
1eeba0022aabfde029387b14ee7604186c8fcca857f6cd67d130df4248fe996d

SHA512
882f986e3a1f3e7d4598d9c74168076599518bc59410ceffb8c9f6143cd8a2cd72b13b584a73e12a67d43901891377dc51fec9ef649f032f1255f4c9f410f106

Download Submit
\Users\Admin\AppData\Local\Temp\9378610649.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
\Users\Admin\AppData\Local\Temp\9378610649.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
memory/112-71-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/112-67-0x0000000000000000-mapping.dmp

Download
memory/112-70-0x0000000000290000-0x0000000000295000-memory.dmp

Filesize
20KB

Download
memory/568-75-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/568-72-0x0000000000000000-mapping.dmp

Download
memory/648-63-0x0000000000000000-mapping.dmp

Download
memory/1004-61-0x0000000000000000-mapping.dmp

Download
memory/1364-76-0x0000000000000000-mapping.dmp

Download
memory/1748-56-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1748-55-0x0000000002C6E000-0x0000000002C89000-memory.dmp

Filesize
108KB

Download
memory/1748-57-0x0000000000400000-0x0000000002B7B000-memory.dmp

Filesize
39.5MB

Download
memory/1748-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1928-77-0x0000000000000000-mapping.dmp

Download
memory/2008-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing