systembc | 897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15

General

Target

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
Size

1.7MB
MD5

8cfa1da0104d3f7a83d30cd97e53b2f2
SHA1

968fecb371720afca1bd528287ca83407129cfc7
SHA256

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15
SHA512

e914253b96c46ecb36e212d4bbe50d2614c5ccb29f5274a63bf063833e9616c813c75e5d484ea674e330ff445e6d51dc0cbbdff021a21b982a72dfc69be66356
SSDEEP

49152:Hk9nNXRsNXEmVuu7MACN6hicTWAkTjlO6r4GK53zJ:IBspku7MXNOiIWAaJD0GeJ

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

Nela nahaseti bakibaf_hixog diquoc mexi.exe

pid process

1980 Nela nahaseti bakibaf_hixog diquoc mexi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

908 cmd.exe
Loads dropped DLL 1 IoCs

Processes:

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe

pid process

1908 897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nela nahaseti bakibaf_hixog diquoc mexi.exe

description pid process target process

PID 1980 set thread context of 284 1980 Nela nahaseti bakibaf_hixog diquoc mexi.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2028 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

472 PING.EXE

pid	process
1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe

pid	process
908	cmd.exe

description	pid	process	target process
PID 1980 set thread context of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe

pid	process
2028	schtasks.exe

pid	process
472	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exeNela nahaseti bakibaf_hixog diquoc mexi.exe

pid	process
1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe

Suspicious use of WriteProcessMemory 29 IoCs

Processes:

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.execmd.exeNela nahaseti bakibaf_hixog diquoc mexi.exe

description	pid	process	target process
PID 1908 wrote to memory of 2028	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1908 wrote to memory of 2028	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1908 wrote to memory of 2028	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1908 wrote to memory of 2028	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1908 wrote to memory of 1980	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1908 wrote to memory of 1980	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1908 wrote to memory of 1980	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1908 wrote to memory of 1980	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1908 wrote to memory of 908	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 1908 wrote to memory of 908	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 1908 wrote to memory of 908	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 1908 wrote to memory of 908	1908	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 908 wrote to memory of 692	908	cmd.exe	chcp.com
PID 908 wrote to memory of 692	908	cmd.exe	chcp.com
PID 908 wrote to memory of 692	908	cmd.exe	chcp.com
PID 908 wrote to memory of 692	908	cmd.exe	chcp.com
PID 908 wrote to memory of 472	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 472	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 472	908	cmd.exe	PING.EXE
PID 908 wrote to memory of 472	908	cmd.exe	PING.EXE
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1980 wrote to memory of 284	1980	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
"C:\Users\Admin\AppData\Local\Temp\897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"
2⤵
- Creates scheduled task(s)
PID:2028

C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
"C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:692

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:472

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
Filesize
770.7MB

MD5
f8d739c9b2bc4eed368306a0d98c3bf1

SHA1
af37fa1b42d1a2b327c8c51161c73799a643746a

SHA256
8c8bc8bca1acbd039f2966e4b38bd14fadff7f42e9e0b3f6befd16ec1192529e

SHA512
137e3c4be3c5039d03379a574a99463abed4b6d3941ea315a2031ba1feefe6bd4e52bdd3d1079a945024d5e03686a2d0a82d0cc9c36cc3e4ca315ebef248133a

Download Submit
\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
Filesize
770.7MB

MD5
f8d739c9b2bc4eed368306a0d98c3bf1

SHA1
af37fa1b42d1a2b327c8c51161c73799a643746a

SHA256
8c8bc8bca1acbd039f2966e4b38bd14fadff7f42e9e0b3f6befd16ec1192529e

SHA512
137e3c4be3c5039d03379a574a99463abed4b6d3941ea315a2031ba1feefe6bd4e52bdd3d1079a945024d5e03686a2d0a82d0cc9c36cc3e4ca315ebef248133a

Download Submit
memory/284-82-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/284-78-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/284-76-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/472-68-0x0000000000000000-mapping.dmp

Download
memory/692-67-0x0000000000000000-mapping.dmp

Download
memory/908-65-0x0000000000000000-mapping.dmp

Download
memory/1908-66-0x0000000000A00000-0x0000000000B77000-memory.dmp

Filesize
1.5MB

Download
memory/1908-57-0x0000000000A00000-0x0000000000B77000-memory.dmp

Filesize
1.5MB

Download
memory/1908-55-0x0000000002200000-0x0000000002969000-memory.dmp

Filesize
7.4MB

Download
memory/1908-60-0x0000000000A00000-0x0000000000B77000-memory.dmp

Filesize
1.5MB

Download
memory/1908-54-0x0000000002200000-0x0000000002969000-memory.dmp

Filesize
7.4MB

Download
memory/1908-59-0x0000000002200000-0x0000000002969000-memory.dmp

Filesize
7.4MB

Download
memory/1908-58-0x00000000753C1000-0x00000000753C3000-memory.dmp

Filesize
8KB

Download
memory/1908-56-0x0000000000A00000-0x0000000000B77000-memory.dmp

Filesize
1.5MB

Download
memory/1980-70-0x0000000001EF0000-0x0000000002659000-memory.dmp

Filesize
7.4MB

Download
memory/1980-71-0x00000000006F0000-0x0000000000867000-memory.dmp

Filesize
1.5MB

Download
memory/1980-73-0x00000000006F0000-0x0000000000867000-memory.dmp

Filesize
1.5MB

Download
memory/1980-74-0x00000000006F0000-0x0000000000867000-memory.dmp

Filesize
1.5MB

Download
memory/1980-75-0x000000000A7D0000-0x000000000A84C000-memory.dmp

Filesize
496KB

Download
memory/1980-63-0x0000000000000000-mapping.dmp

Download
memory/1980-69-0x0000000001EF0000-0x0000000002659000-memory.dmp

Filesize
7.4MB

Download
memory/1980-80-0x00000000006F0000-0x0000000000867000-memory.dmp

Filesize
1.5MB

Download
memory/2028-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads