systembc | ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
14-09-2022 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe
Size

250KB
MD5

39a0d9ae63c42534e18f17d903a2f7a6
SHA1

be6e0ca2b86f4ea632abdc02322091d69f31f87d
SHA256

ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9
SHA512

fe89f679409d2db3c3ab4d30c5c6962dd4d2ee46f154a65ff73d9a4e990b7dbfa9b909ad3026f5c709086b10e1fa7bd92d1fd52aa7ee235c2c69b9aff631dbe0
SSDEEP

6144:2BohTbNI2bRNDZJSyL/iKHhZHk+vlwmjSW:Mab62bRNDZJSUi5+l

Score

10^/10

systembc bootkit persistence trojan

Malware Config

Extracted

Family

systembc

146.70.101.95:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

14A1.exe8F8F.exeqaaxh.exe

pid process

4752 14A1.exe
1812 8F8F.exe
4292 qaaxh.exe
Deletes itself 1 IoCs

Processes:

pid process

3048
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

14A1.exe

description ioc process

File opened for modification \??\PHYSICALDRIVE0 14A1.exe
Drops file in Windows directory 2 IoCs

Processes:

8F8F.exe

description ioc process

File opened for modification C:\Windows\Tasks\qaaxh.job 8F8F.exe
File created C:\Windows\Tasks\qaaxh.job 8F8F.exe

pid	process
4752	14A1.exe
1812	8F8F.exe
4292	qaaxh.exe

pid	process
3048

description	ioc	process
File opened for modification	\??\PHYSICALDRIVE0	14A1.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\qaaxh.job	8F8F.exe
File created	C:\Windows\Tasks\qaaxh.job	8F8F.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe

pid	process
2748	ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe
2748	ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe

pid process

2748 ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

description	pid	target process
PID 3048 wrote to memory of 4752	3048	14A1.exe
PID 3048 wrote to memory of 4752	3048	14A1.exe
PID 3048 wrote to memory of 4752	3048	14A1.exe
PID 3048 wrote to memory of 1812	3048	8F8F.exe
PID 3048 wrote to memory of 1812	3048	8F8F.exe
PID 3048 wrote to memory of 1812	3048	8F8F.exe

C:\Users\Admin\AppData\Local\Temp\ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe
"C:\Users\Admin\AppData\Local\Temp\ce3a7357d8daa56b8f02b6ee0af00737c7e1feaa051bf8471dafcc04cafc5ca9.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2748

C:\Users\Admin\AppData\Local\Temp\14A1.exe
C:\Users\Admin\AppData\Local\Temp\14A1.exe
1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
PID:4752

C:\Users\Admin\AppData\Local\Temp\8F8F.exe
C:\Users\Admin\AppData\Local\Temp\8F8F.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1812

C:\ProgramData\oowt\qaaxh.exe
C:\ProgramData\oowt\qaaxh.exe start
1⤵
- Executes dropped EXE
PID:4292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\oowt\qaaxh.exe
Filesize
250KB

MD5
a2235dca8dc46a22f9be08fedc7b1b0a

SHA1
9071d6d0cd331694ffb6b1caedf8b49de4728d70

SHA256
7880b2cd5384bf7c1c094d871947504df1eef7f29befa93fec72bbafc4fa8fa8

SHA512
ea3b517af5d1c93f6e020116259f5a550f4e00614d54ee43a784b1ffa0be767bd6d36e72328079a4b634d92a45f63f27796a9d51357114356174d0845d624a4b

Download Submit
C:\ProgramData\oowt\qaaxh.exe
Filesize
250KB

MD5
a2235dca8dc46a22f9be08fedc7b1b0a

SHA1
9071d6d0cd331694ffb6b1caedf8b49de4728d70

SHA256
7880b2cd5384bf7c1c094d871947504df1eef7f29befa93fec72bbafc4fa8fa8

SHA512
ea3b517af5d1c93f6e020116259f5a550f4e00614d54ee43a784b1ffa0be767bd6d36e72328079a4b634d92a45f63f27796a9d51357114356174d0845d624a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\14A1.exe
Filesize
570KB

MD5
1c067fd9768cb560ab944240a832970d

SHA1
9dc465756a0f4ecc65908d8c15466d41494f832f

SHA256
eb70f6c5ebd4db71917e8bf453a89919ebb5be3e0d03c74889c18d51e8a270a3

SHA512
6a2c598a848a3f8dab0e233180194b797cdc805645e4eee12a72e572f9692b70fa3bea32b8c9ef3164119ad50ecbf4c57dc7bec093d2b3a077094c0a529d968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\14A1.exe
Filesize
570KB

MD5
1c067fd9768cb560ab944240a832970d

SHA1
9dc465756a0f4ecc65908d8c15466d41494f832f

SHA256
eb70f6c5ebd4db71917e8bf453a89919ebb5be3e0d03c74889c18d51e8a270a3

SHA512
6a2c598a848a3f8dab0e233180194b797cdc805645e4eee12a72e572f9692b70fa3bea32b8c9ef3164119ad50ecbf4c57dc7bec093d2b3a077094c0a529d968d

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F8F.exe
Filesize
250KB

MD5
a2235dca8dc46a22f9be08fedc7b1b0a

SHA1
9071d6d0cd331694ffb6b1caedf8b49de4728d70

SHA256
7880b2cd5384bf7c1c094d871947504df1eef7f29befa93fec72bbafc4fa8fa8

SHA512
ea3b517af5d1c93f6e020116259f5a550f4e00614d54ee43a784b1ffa0be767bd6d36e72328079a4b634d92a45f63f27796a9d51357114356174d0845d624a4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8F8F.exe
Filesize
250KB

MD5
a2235dca8dc46a22f9be08fedc7b1b0a

SHA1
9071d6d0cd331694ffb6b1caedf8b49de4728d70

SHA256
7880b2cd5384bf7c1c094d871947504df1eef7f29befa93fec72bbafc4fa8fa8

SHA512
ea3b517af5d1c93f6e020116259f5a550f4e00614d54ee43a784b1ffa0be767bd6d36e72328079a4b634d92a45f63f27796a9d51357114356174d0845d624a4b

Download Submit
memory/1812-229-0x0000000000897000-0x00000000008A8000-memory.dmp

Filesize
68KB

Download
memory/1812-202-0x0000000000000000-mapping.dmp

Download
memory/1812-231-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/1812-260-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/1812-261-0x0000000000897000-0x00000000008A8000-memory.dmp

Filesize
68KB

Download
memory/1812-262-0x00000000005A0000-0x00000000006EA000-memory.dmp

Filesize
1.3MB

Download
memory/2748-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-122-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-140-0x0000000000600000-0x00000000006AE000-memory.dmp

Filesize
696KB

Download
memory/2748-141-0x0000000000600000-0x00000000006AE000-memory.dmp

Filesize
696KB

Download
memory/2748-143-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2748-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-151-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-152-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/2748-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4292-312-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/4292-313-0x0000000000680000-0x0000000000689000-memory.dmp

Filesize
36KB

Download
memory/4292-314-0x0000000000400000-0x000000000059B000-memory.dmp

Filesize
1.6MB

Download
memory/4292-316-0x00000000006A0000-0x00000000007EA000-memory.dmp

Filesize
1.3MB

Download
memory/4752-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-167-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-168-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-169-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-170-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-171-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-172-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-173-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-174-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-175-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-176-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-177-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-178-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-179-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-180-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-181-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-182-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-183-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-184-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-186-0x0000000000936000-0x0000000000997000-memory.dmp

Filesize
388KB

Download
memory/4752-187-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-189-0x0000000000880000-0x00000000008EB000-memory.dmp

Filesize
428KB

Download
memory/4752-185-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-198-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download
memory/4752-166-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-165-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-164-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-163-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-161-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-160-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-159-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-158-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-157-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4752-153-0x0000000000000000-mapping.dmp

Download
memory/4752-199-0x0000000000936000-0x0000000000997000-memory.dmp

Filesize
388KB

Download
memory/4752-200-0x0000000000880000-0x00000000008EB000-memory.dmp

Filesize
428KB

Download
memory/4752-201-0x0000000000400000-0x00000000005EB000-memory.dmp

Filesize
1.9MB

Download