systembc | bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b

Analysis

max time kernel
164s
max time network
290s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
05/10/2022, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
Size

8.2MB
MD5

23150d8faa66ce23299e2c032b8fd62f
SHA1

26c7c604d01f784931a3a95f1efeb56bfe1aec69
SHA256

bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b
SHA512

17ae25cce526a5eb11202cc779f5d62fc45b14a4d547e2eb88694dc21c83fdb853731adfd7cb47fb3499f140ddedf61175415504a0c93cb2ed3b3f25e989f5e7
SSDEEP

196608:JzxikPsLoM1ZPdUYcoV1alsmMzU5tReoS+P6n:JzIkP7M1ZP64alnB5t5SF

Score

10^/10

systembc evasion themida trojan

Malware Config

Extracted

Family

systembc

89.22.225.242:4193

195.2.93.22:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Executes dropped EXE 1 IoCs

pid	Process
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/2840-128-0x00000000009B0000-0x00000000011F1000-memory.dmp	themida
behavioral2/memory/2840-151-0x00000000009B0000-0x00000000011F1000-memory.dmp	themida
behavioral2/memory/2840-152-0x00000000009B0000-0x00000000011F1000-memory.dmp	themida
behavioral2/files/0x000b00000001abb9-206.dat	themida
behavioral2/memory/4272-217-0x00000000009E0000-0x0000000001221000-memory.dmp	themida
behavioral2/memory/2840-224-0x00000000009B0000-0x00000000011F1000-memory.dmp	themida
behavioral2/memory/4272-265-0x00000000009E0000-0x0000000001221000-memory.dmp	themida
behavioral2/memory/4272-304-0x00000000009E0000-0x0000000001221000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4272 set thread context of 4600	4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe	73

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4908	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2276	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 4908	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	66
PID 2840 wrote to memory of 4908	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	66
PID 2840 wrote to memory of 4908	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	66
PID 2840 wrote to memory of 4272	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	68
PID 2840 wrote to memory of 4272	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	68
PID 2840 wrote to memory of 4272	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	68
PID 2840 wrote to memory of 704	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	69
PID 2840 wrote to memory of 704	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	69
PID 2840 wrote to memory of 704	2840	bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe	69
PID 704 wrote to memory of 4008	704	cmd.exe	71
PID 704 wrote to memory of 4008	704	cmd.exe	71
PID 704 wrote to memory of 4008	704	cmd.exe	71
PID 704 wrote to memory of 2276	704	cmd.exe	72
PID 704 wrote to memory of 2276	704	cmd.exe	72
PID 704 wrote to memory of 2276	704	cmd.exe	72
PID 4272 wrote to memory of 4600	4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe	73
PID 4272 wrote to memory of 4600	4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe	73
PID 4272 wrote to memory of 4600	4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe	73
PID 4272 wrote to memory of 4600	4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe	73
PID 4272 wrote to memory of 4600	4272	migeyih quipaha xajiced banokora ririb bevirov kimatis.exe	73

C:\Users\Admin\AppData\Local\Temp\bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe
"C:\Users\Admin\AppData\Local\Temp\bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"
  2⤵
  - Creates scheduled task(s)
  PID:4908
- C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe
  "C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks whether UAC is enabled
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\bbd8b41c49eaee839da5fc62c999761efb835e7eb84f73cbf531cf0dd40c608b.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:4008
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Dage qui podeta xesaxapo copib pab tiqu fixolol pok xowa niweke\migeyih quipaha xajiced banokora ririb bevirov kimatis.exe

Filesize
816.2MB

MD5
6091e0da6afd76a1f90594023f4226aa

SHA1
5050f60d446eaf23177e3996cbae40914268acf5

SHA256
87e9a03aa00a3f36610eb8a49c09b0d33029542a69405e04382a0d25bea1637b

SHA512
937dc14bc21e9408bd2b9d4fa65ab5e0922defa5bc88747eb4e8d79b9eabc80bb2ffb7df059ae75672bbcadd33d2dd663b7bf3d1796051f94869351042ed4372

Download Submit
memory/2840-163-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-165-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-123-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-124-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-125-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-126-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-128-0x00000000009B0000-0x00000000011F1000-memory.dmp

Filesize
8.3MB

Download
memory/2840-129-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-130-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-127-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-131-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-132-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-133-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-134-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-135-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-136-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-137-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-138-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-139-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-140-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-141-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-142-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-143-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-144-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-145-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-146-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-147-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-148-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-149-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-150-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-151-0x00000000009B0000-0x00000000011F1000-memory.dmp

Filesize
8.3MB

Download
memory/2840-152-0x00000000009B0000-0x00000000011F1000-memory.dmp

Filesize
8.3MB

Download
memory/2840-154-0x0000000002EE0000-0x0000000003628000-memory.dmp

Filesize
7.3MB

Download
memory/2840-156-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-157-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-158-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-159-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-160-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-161-0x0000000003630000-0x00000000037AC000-memory.dmp

Filesize
1.5MB

Download
memory/2840-121-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-122-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-162-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-120-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-166-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-167-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-168-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-169-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-170-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-171-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-172-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-173-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-174-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-175-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-176-0x0000000002EE0000-0x0000000003628000-memory.dmp

Filesize
7.3MB

Download
memory/2840-177-0x0000000003630000-0x00000000037AC000-memory.dmp

Filesize
1.5MB

Download
memory/2840-178-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-179-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-180-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-181-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-182-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-183-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-184-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/2840-224-0x00000000009B0000-0x00000000011F1000-memory.dmp

Filesize
8.3MB

Download
memory/2840-164-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4272-217-0x00000000009E0000-0x0000000001221000-memory.dmp

Filesize
8.3MB

Download
memory/4272-295-0x00000000029D0000-0x0000000003113000-memory.dmp

Filesize
7.3MB

Download
memory/4272-304-0x00000000009E0000-0x0000000001221000-memory.dmp

Filesize
8.3MB

Download
memory/4272-296-0x0000000003120000-0x0000000003291000-memory.dmp

Filesize
1.4MB

Download
memory/4272-265-0x00000000009E0000-0x0000000001221000-memory.dmp

Filesize
8.3MB

Download
memory/4272-294-0x0000000003120000-0x0000000003291000-memory.dmp

Filesize
1.4MB

Download
memory/4272-279-0x00000000029D0000-0x0000000003113000-memory.dmp

Filesize
7.3MB

Download
memory/4272-298-0x00000000029D0000-0x0000000003113000-memory.dmp

Filesize
7.3MB

Download
memory/4600-339-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4908-186-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-187-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-188-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-189-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-190-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-191-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download
memory/4908-192-0x00000000772F0000-0x000000007747E000-memory.dmp

Filesize
1.6MB

Download