systembc | d94e02cfb25da71355a6d85538a24374c050962c4e027eaae2e230fe52514e2a

General

Target

bb8dba7e21b5f0720407e0acdde6a34e.exe
Size

373KB
MD5

bb8dba7e21b5f0720407e0acdde6a34e
SHA1

27e708c7940708ec158245bfb7f9f671f6664b13
SHA256

d94e02cfb25da71355a6d85538a24374c050962c4e027eaae2e230fe52514e2a
SHA512

b83aedd35920a402033d9381d67d5ade247afe55c8c5d7fc0eb5ee79d0c5cd69bd3e2538881e7d8d2bdcf04b65219f802d038b1757a395709e20b52462d12266

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

135.125.248.50:443

146.70.53.169:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

4460637101.exe1142939930.exe1142939930.exe

pid process

1368 4460637101.exe
1120 1142939930.exe
1252 1142939930.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

328 cmd.exe
Loads dropped DLL 3 IoCs

Processes:

cmd.execmd.exe

pid process

1172 cmd.exe
1768 cmd.exe
1768 cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Drops file in Windows directory 2 IoCs

Processes:

1142939930.exe

description ioc process

File created C:\Windows\Tasks\wow64.job 1142939930.exe
File opened for modification C:\Windows\Tasks\wow64.job 1142939930.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1828 taskkill.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1828 taskkill.exe

pid	process
1368	4460637101.exe
1120	1142939930.exe
1252	1142939930.exe

pid	process
328	cmd.exe

pid	process
1172	cmd.exe
1768	cmd.exe
1768	cmd.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	1142939930.exe
File opened for modification	C:\Windows\Tasks\wow64.job	1142939930.exe

pid	process
1828	taskkill.exe

description	pid	process
Token: SeDebugPrivilege	1828	taskkill.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

bb8dba7e21b5f0720407e0acdde6a34e.execmd.execmd.execmd.exetaskeng.exe

description	pid	process	target process
PID 1648 wrote to memory of 1172	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 1172	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 1172	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 1172	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1172 wrote to memory of 1368	1172	cmd.exe	4460637101.exe
PID 1172 wrote to memory of 1368	1172	cmd.exe	4460637101.exe
PID 1172 wrote to memory of 1368	1172	cmd.exe	4460637101.exe
PID 1172 wrote to memory of 1368	1172	cmd.exe	4460637101.exe
PID 1648 wrote to memory of 1768	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 1768	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 1768	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 1768	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1768 wrote to memory of 1120	1768	cmd.exe	1142939930.exe
PID 1768 wrote to memory of 1120	1768	cmd.exe	1142939930.exe
PID 1768 wrote to memory of 1120	1768	cmd.exe	1142939930.exe
PID 1768 wrote to memory of 1120	1768	cmd.exe	1142939930.exe
PID 1648 wrote to memory of 328	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 328	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 328	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 1648 wrote to memory of 328	1648	bb8dba7e21b5f0720407e0acdde6a34e.exe	cmd.exe
PID 328 wrote to memory of 1828	328	cmd.exe	taskkill.exe
PID 328 wrote to memory of 1828	328	cmd.exe	taskkill.exe
PID 328 wrote to memory of 1828	328	cmd.exe	taskkill.exe
PID 328 wrote to memory of 1828	328	cmd.exe	taskkill.exe
PID 1756 wrote to memory of 1252	1756	taskeng.exe	1142939930.exe
PID 1756 wrote to memory of 1252	1756	taskeng.exe	1142939930.exe
PID 1756 wrote to memory of 1252	1756	taskeng.exe	1142939930.exe
PID 1756 wrote to memory of 1252	1756	taskeng.exe	1142939930.exe

C:\Users\Admin\AppData\Local\Temp\bb8dba7e21b5f0720407e0acdde6a34e.exe
"C:\Users\Admin\AppData\Local\Temp\bb8dba7e21b5f0720407e0acdde6a34e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\4460637101.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172

C:\Users\Admin\AppData\Local\Temp\4460637101.exe
"C:\Users\Admin\AppData\Local\Temp\4460637101.exe"
3⤵
- Executes dropped EXE
PID:1368

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1142939930.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Local\Temp\1142939930.exe
"C:\Users\Admin\AppData\Local\Temp\1142939930.exe"
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "bb8dba7e21b5f0720407e0acdde6a34e.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\bb8dba7e21b5f0720407e0acdde6a34e.exe" & exit
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "bb8dba7e21b5f0720407e0acdde6a34e.exe" /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1828

C:\Windows\system32\taskeng.exe
taskeng.exe {9C3FEB19-5B3E-4289-99C4-C02EC3D28153} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\1142939930.exe
C:\Users\Admin\AppData\Local\Temp\1142939930.exe start
2⤵
- Executes dropped EXE
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1142939930.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1142939930.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1142939930.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4460637101.exe
Filesize
84KB

MD5
bd36b140501a2597a130c5d1a6105626

SHA1
ccb488217d9d32334fff09b0fb3d857e3ab4da6b

SHA256
1eeba0022aabfde029387b14ee7604186c8fcca857f6cd67d130df4248fe996d

SHA512
882f986e3a1f3e7d4598d9c74168076599518bc59410ceffb8c9f6143cd8a2cd72b13b584a73e12a67d43901891377dc51fec9ef649f032f1255f4c9f410f106

Download Submit
C:\Users\Admin\AppData\Local\Temp\4460637101.exe
Filesize
84KB

MD5
bd36b140501a2597a130c5d1a6105626

SHA1
ccb488217d9d32334fff09b0fb3d857e3ab4da6b

SHA256
1eeba0022aabfde029387b14ee7604186c8fcca857f6cd67d130df4248fe996d

SHA512
882f986e3a1f3e7d4598d9c74168076599518bc59410ceffb8c9f6143cd8a2cd72b13b584a73e12a67d43901891377dc51fec9ef649f032f1255f4c9f410f106

Download Submit
\Users\Admin\AppData\Local\Temp\1142939930.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
\Users\Admin\AppData\Local\Temp\1142939930.exe
Filesize
946KB

MD5
c65326b66f8e1799d3b4b62ced8431ad

SHA1
2435632e756173e92a1f14e10573bdc32895a6c5

SHA256
c72ce273124fce08bf9dd61845a78651d7ba402f9164f117f4d6d0ad5d0212ba

SHA512
034b09c7f3bd8b2dba0f3aad38d96db03d9c23c09b36653014716088c5829b40d1255c0b7c8880d9ec19a342132be2ddbac88c6b4bcea31c44643370f40300a1

Download Submit
\Users\Admin\AppData\Local\Temp\4460637101.exe
Filesize
84KB

MD5
bd36b140501a2597a130c5d1a6105626

SHA1
ccb488217d9d32334fff09b0fb3d857e3ab4da6b

SHA256
1eeba0022aabfde029387b14ee7604186c8fcca857f6cd67d130df4248fe996d

SHA512
882f986e3a1f3e7d4598d9c74168076599518bc59410ceffb8c9f6143cd8a2cd72b13b584a73e12a67d43901891377dc51fec9ef649f032f1255f4c9f410f106

Download Submit
memory/328-70-0x0000000000000000-mapping.dmp

Download
memory/1120-72-0x00000000006B0000-0x00000000006B5000-memory.dmp

Filesize
20KB

Download
memory/1120-67-0x0000000000000000-mapping.dmp

Download
memory/1120-73-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1172-58-0x0000000000000000-mapping.dmp

Download
memory/1252-74-0x0000000000000000-mapping.dmp

Download
memory/1252-77-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/1368-61-0x0000000000000000-mapping.dmp

Download
memory/1648-57-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/1648-55-0x00000000005EA000-0x0000000000605000-memory.dmp

Filesize
108KB

Download
memory/1648-54-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1648-56-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/1768-63-0x0000000000000000-mapping.dmp

Download
memory/1828-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing