systembc | 897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15

Analysis

max time kernel
244s
max time network
247s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
29-09-2022 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
Size

1.7MB
MD5

8cfa1da0104d3f7a83d30cd97e53b2f2
SHA1

968fecb371720afca1bd528287ca83407129cfc7
SHA256

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15
SHA512

e914253b96c46ecb36e212d4bbe50d2614c5ccb29f5274a63bf063833e9616c813c75e5d484ea674e330ff445e6d51dc0cbbdff021a21b982a72dfc69be66356
SSDEEP

49152:Hk9nNXRsNXEmVuu7MACN6hicTWAkTjlO6r4GK53zJ:IBspku7MXNOiIWAaJD0GeJ

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

89.22.225.242:4193

195.2.93.22:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

Nela nahaseti bakibaf_hixog diquoc mexi.exe

pid process

1604 Nela nahaseti bakibaf_hixog diquoc mexi.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

Nela nahaseti bakibaf_hixog diquoc mexi.exe

description pid process target process

PID 1604 set thread context of 1980 1604 Nela nahaseti bakibaf_hixog diquoc mexi.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3008 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

736 PING.EXE

pid	process
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe

description	pid	process	target process
PID 1604 set thread context of 1980	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe

pid	process
3008	schtasks.exe

pid	process
736	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exeNela nahaseti bakibaf_hixog diquoc mexi.exe

pid	process
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe
1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.execmd.exeNela nahaseti bakibaf_hixog diquoc mexi.exe

description	pid	process	target process
PID 1768 wrote to memory of 3008	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1768 wrote to memory of 3008	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1768 wrote to memory of 3008	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	schtasks.exe
PID 1768 wrote to memory of 1604	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1768 wrote to memory of 1604	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1768 wrote to memory of 1604	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	Nela nahaseti bakibaf_hixog diquoc mexi.exe
PID 1768 wrote to memory of 1772	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 1768 wrote to memory of 1772	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 1768 wrote to memory of 1772	1768	897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe	cmd.exe
PID 1772 wrote to memory of 4988	1772	cmd.exe	chcp.com
PID 1772 wrote to memory of 4988	1772	cmd.exe	chcp.com
PID 1772 wrote to memory of 4988	1772	cmd.exe	chcp.com
PID 1772 wrote to memory of 736	1772	cmd.exe	PING.EXE
PID 1772 wrote to memory of 736	1772	cmd.exe	PING.EXE
PID 1772 wrote to memory of 736	1772	cmd.exe	PING.EXE
PID 1604 wrote to memory of 4488	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 4488	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 4488	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 1980	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 1980	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 1980	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 1980	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe
PID 1604 wrote to memory of 1980	1604	Nela nahaseti bakibaf_hixog diquoc mexi.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe
"C:\Users\Admin\AppData\Local\Temp\897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"
2⤵
- Creates scheduled task(s)
PID:3008

C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
"C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:4488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1980

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\897ae6e12c0cb2beedbfa4e54e32bb97c0f881f2fb18aad6fb08f6aeb3097f15.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4988

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:736

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
Filesize
810.7MB

MD5
23ba5244c03ffbefef92ac47b23dbbe4

SHA1
858f2e8f22ae0e6a0a7347960f8cbe2435dca5bf

SHA256
8e2557c9244591648f20e1ea5ecacbc9a7820db0958341ad82f69850b5ce4038

SHA512
b2a0923689112a10a0155dd9484a47eecc7a9b1120d9883bc55d575c62238c83315563b4c7c2710c327a3a11f479b7a8c06d0fa20382326a84a9db6992015aef

Download Submit
C:\Users\Admin\wiquega niyi hisava xitag kobit fir pidamet\Nela nahaseti bakibaf_hixog diquoc mexi.exe
Filesize
810.7MB

MD5
23ba5244c03ffbefef92ac47b23dbbe4

SHA1
858f2e8f22ae0e6a0a7347960f8cbe2435dca5bf

SHA256
8e2557c9244591648f20e1ea5ecacbc9a7820db0958341ad82f69850b5ce4038

SHA512
b2a0923689112a10a0155dd9484a47eecc7a9b1120d9883bc55d575c62238c83315563b4c7c2710c327a3a11f479b7a8c06d0fa20382326a84a9db6992015aef

Download Submit
memory/736-235-0x0000000000000000-mapping.dmp

Download
memory/1604-192-0x0000000000000000-mapping.dmp

Download
memory/1604-295-0x000000000CB40000-0x000000000CBBC000-memory.dmp

Filesize
496KB

Download
memory/1604-291-0x0000000003230000-0x00000000033AF000-memory.dmp

Filesize
1.5MB

Download
memory/1604-290-0x0000000002AB0000-0x0000000003227000-memory.dmp

Filesize
7.5MB

Download
memory/1604-289-0x0000000003230000-0x00000000033AF000-memory.dmp

Filesize
1.5MB

Download
memory/1604-258-0x0000000002AB0000-0x0000000003227000-memory.dmp

Filesize
7.5MB

Download
memory/1768-158-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-130-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-127-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-128-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-161-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-162-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-131-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-132-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-133-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-135-0x00000000022A0000-0x0000000002A0E000-memory.dmp

Filesize
7.4MB

Download
memory/1768-137-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-138-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-139-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-140-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-141-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-142-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-143-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-144-0x0000000002A10000-0x0000000002B8F000-memory.dmp

Filesize
1.5MB

Download
memory/1768-145-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-146-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-147-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-148-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-149-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-150-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-151-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-152-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-153-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-154-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-155-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-156-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-157-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-125-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-159-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-160-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-163-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-126-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-129-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-164-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-165-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-166-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-167-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-168-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-169-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-170-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-171-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-172-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-173-0x00000000022A0000-0x0000000002A0E000-memory.dmp

Filesize
7.4MB

Download
memory/1768-174-0x0000000002A10000-0x0000000002B8F000-memory.dmp

Filesize
1.5MB

Download
memory/1768-175-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-176-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-177-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-178-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-179-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-180-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-181-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-182-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-183-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-120-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-121-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-122-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-123-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1768-124-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/1772-204-0x0000000000000000-mapping.dmp

Download
memory/1980-335-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3008-188-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-189-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-190-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-187-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-186-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-185-0x0000000076F50000-0x00000000770DE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-184-0x0000000000000000-mapping.dmp

Download
memory/4988-227-0x0000000000000000-mapping.dmp

Download