systembc | 4119afdd7fb25978a0f7fa74cdb6be97df0a67ddc3607efbce5de855d9a765d2

General

Target

61f9d2b055b4c6b2fcd157f73ae63cd1.exe
Size

1.5MB
MD5

61f9d2b055b4c6b2fcd157f73ae63cd1
SHA1

f4e42225c42c5378ccd4e03b7ccb465d79797388
SHA256

4119afdd7fb25978a0f7fa74cdb6be97df0a67ddc3607efbce5de855d9a765d2
SHA512

58e321c0d746ed4da8f7bbe19c4524544449a67f1f84b5cb87b3c64107bf6639ed0f163d5f5f8cfa58cbd7dbfacb12439cfea5376dc052f271df124e09fe2c3e
SSDEEP

24576:277xjRO4/1gy4+aDckmi7DaC+V+aqaGI5KMADy2n1Cpp4c7cxXZh:c7xjRJgywDCyDSWaCM0y2ngHdm7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

Dotay forikiyi bibaja.exe

pid process

2664 Dotay forikiyi bibaja.exe

pid	process
2664	Dotay forikiyi bibaja.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

61f9d2b055b4c6b2fcd157f73ae63cd1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	61f9d2b055b4c6b2fcd157f73ae63cd1.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Dotay forikiyi bibaja.exe

description pid process target process

PID 2664 set thread context of 3876 2664 Dotay forikiyi bibaja.exe InstallUtil.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

364 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1684 PING.EXE

description	pid	process	target process
PID 2664 set thread context of 3876	2664	Dotay forikiyi bibaja.exe	InstallUtil.exe

pid	process
364	schtasks.exe

pid	process
1684	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

61f9d2b055b4c6b2fcd157f73ae63cd1.exeDotay forikiyi bibaja.exe

pid	process
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe
2664	Dotay forikiyi bibaja.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

61f9d2b055b4c6b2fcd157f73ae63cd1.execmd.exeDotay forikiyi bibaja.exe

description	pid	process	target process
PID 4156 wrote to memory of 364	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 4156 wrote to memory of 364	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 4156 wrote to memory of 364	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	schtasks.exe
PID 4156 wrote to memory of 2664	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 4156 wrote to memory of 2664	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 4156 wrote to memory of 2664	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	Dotay forikiyi bibaja.exe
PID 4156 wrote to memory of 176	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 4156 wrote to memory of 176	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 4156 wrote to memory of 176	4156	61f9d2b055b4c6b2fcd157f73ae63cd1.exe	cmd.exe
PID 176 wrote to memory of 2088	176	cmd.exe	chcp.com
PID 176 wrote to memory of 2088	176	cmd.exe	chcp.com
PID 176 wrote to memory of 2088	176	cmd.exe	chcp.com
PID 176 wrote to memory of 1684	176	cmd.exe	PING.EXE
PID 176 wrote to memory of 1684	176	cmd.exe	PING.EXE
PID 176 wrote to memory of 1684	176	cmd.exe	PING.EXE
PID 2664 wrote to memory of 3876	2664	Dotay forikiyi bibaja.exe	InstallUtil.exe
PID 2664 wrote to memory of 3876	2664	Dotay forikiyi bibaja.exe	InstallUtil.exe
PID 2664 wrote to memory of 3876	2664	Dotay forikiyi bibaja.exe	InstallUtil.exe
PID 2664 wrote to memory of 3876	2664	Dotay forikiyi bibaja.exe	InstallUtil.exe
PID 2664 wrote to memory of 3876	2664	Dotay forikiyi bibaja.exe	InstallUtil.exe

C:\Users\Admin\AppData\Local\Temp\61f9d2b055b4c6b2fcd157f73ae63cd1.exe
"C:\Users\Admin\AppData\Local\Temp\61f9d2b055b4c6b2fcd157f73ae63cd1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe"
2⤵
- Creates scheduled task(s)
PID:364

C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
"C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:3876

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\61f9d2b055b4c6b2fcd157f73ae63cd1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:176

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:2088

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1684

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
Filesize
605.2MB

MD5
e942856581a46d01030308ff6c85c42f

SHA1
7c37f2116a372419d163d05839b0989b9782fa3a

SHA256
ef58b794bddb24ae00ffc30e0ffb444c4f7b210d22da74e89691e9253e9c690d

SHA512
ec1eebb9a179a39debd5d2228c381085f97357db88ca13aaf6be6a64a8259ae906610a69b52600cdd4ce5bc120b806eb9366d2f86dd20baf11bdf201ed40d7d5

Download Submit
C:\Users\Admin\Quabo gij cogoke pasofe melo jayiwala gohirih quocelad nocalati\Dotay forikiyi bibaja.exe
Filesize
562.4MB

MD5
e996114b568f6222935a912b9295ecff

SHA1
86aa371b54c40def21dd831ff614ad2492bcd33f

SHA256
bdc21425286a92a96ff76aaf6e203e6a0739137f4cddf8955f1056be2dc260e4

SHA512
29cc0f874c992749e68be30e6efbdbb3baf114d9ef1408d89269149ab796f9063e15ad4415ff035d51d2431b11a440d0eb084b7fbf5f8ae8dc907efed3a851ca

Download Submit
memory/176-140-0x0000000000000000-mapping.dmp

Download
memory/364-136-0x0000000000000000-mapping.dmp

Download
memory/1684-143-0x0000000000000000-mapping.dmp

Download
memory/2088-142-0x0000000000000000-mapping.dmp

Download
memory/2664-137-0x0000000000000000-mapping.dmp

Download
memory/2664-146-0x0000000002202000-0x000000000291A000-memory.dmp

Filesize
7.1MB

Download
memory/2664-155-0x000000000292B000-0x0000000002A93000-memory.dmp

Filesize
1.4MB

Download
memory/2664-149-0x000000000E6A0000-0x000000000E715000-memory.dmp

Filesize
468KB

Download
memory/2664-148-0x000000000E6A0000-0x000000000E715000-memory.dmp

Filesize
468KB

Download
memory/2664-147-0x000000000292B000-0x0000000002A93000-memory.dmp

Filesize
1.4MB

Download
memory/2664-144-0x0000000002202000-0x000000000291A000-memory.dmp

Filesize
7.1MB

Download
memory/2664-145-0x000000000292B000-0x0000000002A93000-memory.dmp

Filesize
1.4MB

Download
memory/3876-151-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3876-150-0x0000000000000000-mapping.dmp

Download
memory/3876-153-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3876-156-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4156-133-0x0000000002D30000-0x0000000002E98000-memory.dmp

Filesize
1.4MB

Download
memory/4156-134-0x0000000002612000-0x0000000002D2A000-memory.dmp

Filesize
7.1MB

Download
memory/4156-141-0x0000000002D30000-0x0000000002E98000-memory.dmp

Filesize
1.4MB

Download
memory/4156-132-0x0000000002612000-0x0000000002D2A000-memory.dmp

Filesize
7.1MB

Download
memory/4156-135-0x0000000002D30000-0x0000000002E98000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads