systembc | 8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c

General

Target

8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
Size

698.1MB
MD5

4ecaa168b95dd762fdcaea1b47b2a112
SHA1

962137afc085b16a55a44bbf6a3d62b2b3d6a6ee
SHA256

8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c
SHA512

445b456ee8456695c75ed46ac65f65d4fb91fae59f05f6d9ed6f98123300aa9a354d19299e17e0a58348db000a9860538066be8fc7ee316ec59dda4ff832d0a5
SSDEEP

49152:WbGala7PGeJAyPjmSE83wQ52Ah1aYIziFbJATz9RJv5gns6hjVDmivym:NaleMyBfHqzR6dVDmivym

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

185.209.30.138:4127

192.168.1.149:4127

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
884	Vik yefas das wam xox fogica migoqua quibi-gicek.exe

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
856	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1152	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
884	Vik yefas das wam xox fogica migoqua quibi-gicek.exe
884	Vik yefas das wam xox fogica migoqua quibi-gicek.exe
884	Vik yefas das wam xox fogica migoqua quibi-gicek.exe
884	Vik yefas das wam xox fogica migoqua quibi-gicek.exe
884	Vik yefas das wam xox fogica migoqua quibi-gicek.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 856	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	27
PID 1284 wrote to memory of 856	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	27
PID 1284 wrote to memory of 856	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	27
PID 1284 wrote to memory of 856	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	27
PID 1284 wrote to memory of 884	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	29
PID 1284 wrote to memory of 884	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	29
PID 1284 wrote to memory of 884	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	29
PID 1284 wrote to memory of 884	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	29
PID 1284 wrote to memory of 1732	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	30
PID 1284 wrote to memory of 1732	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	30
PID 1284 wrote to memory of 1732	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	30
PID 1284 wrote to memory of 1732	1284	8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe	30
PID 1732 wrote to memory of 1016	1732	cmd.exe	32
PID 1732 wrote to memory of 1016	1732	cmd.exe	32
PID 1732 wrote to memory of 1016	1732	cmd.exe	32
PID 1732 wrote to memory of 1016	1732	cmd.exe	32
PID 1732 wrote to memory of 1152	1732	cmd.exe	33
PID 1732 wrote to memory of 1152	1732	cmd.exe	33
PID 1732 wrote to memory of 1152	1732	cmd.exe	33
PID 1732 wrote to memory of 1152	1732	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe
"C:\Users\Admin\AppData\Local\Temp\8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Jogeb pomok\Vik yefas das wam xox fogica migoqua quibi-gicek.exe"
  2⤵
  - Creates scheduled task(s)
  PID:856
- C:\Users\Admin\Jogeb pomok\Vik yefas das wam xox fogica migoqua quibi-gicek.exe
  "C:\Users\Admin\Jogeb pomok\Vik yefas das wam xox fogica migoqua quibi-gicek.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\8b862b5b0e4fdb4d398055c790a8846089b53ee47ce605efd3198426e4edaf4c.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Jogeb pomok\Vik yefas das wam xox fogica migoqua quibi-gicek.exe

Filesize
1115.7MB

MD5
9afd17dfe9002c11042951f38606346e

SHA1
d3cad6402dc8419ce4fcef141c67b33b88f4fe29

SHA256
baef20a5502a7a0821d36162724d7e02762fa0419cc72660744f78aba2d65ab5

SHA512
fe5a227e02630f8224a5b6c45d38f0f01e985df45b9eab4738e87a625d34b256d14cffbbf94d331c70f2490b0f65ca565c08476494cd584f6916e81c4e5a79e8

Download Submit
\Users\Admin\Jogeb pomok\Vik yefas das wam xox fogica migoqua quibi-gicek.exe

Filesize
942.5MB

MD5
5be0e70d08c22c7f5f561265ed5ebbcc

SHA1
a3469fd6bb7c2946653c129925cf0a3f314c4b62

SHA256
d5adf59c5ef5d396944f993bc0a1b1731f4fb555e69848fbabb15f6a2d7031fa

SHA512
d0ae6b2383bef83874382987451556b9d4a5d29cac47c26902edb7580b7bd080fe396dbd02f8144cb5c7fdf53225c8a9d6fe70960d649e62d191c39d02b6d48c

Download Submit
\Users\Admin\Jogeb pomok\Vik yefas das wam xox fogica migoqua quibi-gicek.exe

Filesize
1089.2MB

MD5
0de5a430dd3bfa48e3ce037522cb34aa

SHA1
ebab0e21e3795e5a281c872f57262f7f187e1d1a

SHA256
ed01f40979f8627f2ba159e74924ae9a68e44d1e00c6a548841b5bafd0d0d4fe

SHA512
243ebddcde779112717d06f7b8742fdabf2e2e62bbd73d886c9258b7dec5c0aa98edc9e02f6b43944dc9225efabef85a87f41421c777bda430ec7e2c3182be3f

Download Submit
memory/884-73-0x0000000002980000-0x0000000002B22000-memory.dmp

Filesize
1.6MB

Download
memory/884-74-0x0000000002980000-0x0000000002B22000-memory.dmp

Filesize
1.6MB

Download
memory/884-75-0x0000000002980000-0x0000000002B22000-memory.dmp

Filesize
1.6MB

Download
memory/884-76-0x00000000027F0000-0x0000000002877000-memory.dmp

Filesize
540KB

Download
memory/884-77-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/884-80-0x00000000027F0000-0x0000000002877000-memory.dmp

Filesize
540KB

Download
memory/884-72-0x0000000001FA0000-0x000000000297E000-memory.dmp

Filesize
9.9MB

Download
memory/884-67-0x0000000001FA0000-0x000000000297E000-memory.dmp

Filesize
9.9MB

Download
memory/1284-60-0x0000000002960000-0x0000000002B02000-memory.dmp

Filesize
1.6MB

Download
memory/1284-69-0x0000000002960000-0x0000000002B02000-memory.dmp

Filesize
1.6MB

Download
memory/1284-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1284-59-0x0000000001F80000-0x000000000295E000-memory.dmp

Filesize
9.9MB

Download
memory/1284-58-0x0000000002960000-0x0000000002B02000-memory.dmp

Filesize
1.6MB

Download
memory/1284-57-0x0000000002960000-0x0000000002B02000-memory.dmp

Filesize
1.6MB

Download
memory/1284-56-0x0000000001F80000-0x000000000295E000-memory.dmp

Filesize
9.9MB

Download
memory/1284-55-0x0000000001F80000-0x000000000295E000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads