systembc | 16975eee0891f39d99601cc61d163911ae9e30aaf194c7f70c67eb02bb66a81e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2022 14:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac006a4066fd3316240b6fe107569209.exe
Size

742KB
MD5

ac006a4066fd3316240b6fe107569209
SHA1

3a9fbfe82f5d259c36104df4206926d7a0cf82ef
SHA256

16975eee0891f39d99601cc61d163911ae9e30aaf194c7f70c67eb02bb66a81e
SHA512

c43ec5ff944f350b8582ffdf2dfa4d6e79013bc79ddc8ce4cd783b24609c496d8cc8004ddfb98bc35656c8014131803d7ebb462bd05e45153f289fb13a4a2201
SSDEEP

12288:rttTYdmKnGcSacTuDC8vidkVSGdNClgYcbRA3telMHpc1WPiML9B7uH04NqK3:BtTYdpSRj8ksQHelMJc1W/pB7eNL

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

reverse222.com:4193

reverse11.com:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

Sua.exe.pifSua.exe.pif

pid process

1092 Sua.exe.pif
4980 Sua.exe.pif
Loads dropped DLL 6 IoCs

Processes:

Sua.exe.pif

pid process

1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif

pid	process
1092	Sua.exe.pif
4980	Sua.exe.pif

pid	process
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ac006a4066fd3316240b6fe107569209.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ac006a4066fd3316240b6fe107569209.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ac006a4066fd3316240b6fe107569209.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Sua.exe.pif

description pid process target process

PID 1092 set thread context of 4980 1092 Sua.exe.pif Sua.exe.pif
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2764 PING.EXE
5012 PING.EXE
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Sua.exe.pif

pid process

1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Sua.exe.pif

pid process

1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sua.exe.pif

pid process

1092 Sua.exe.pif
1092 Sua.exe.pif
1092 Sua.exe.pif

description	pid	process	target process
PID 1092 set thread context of 4980	1092	Sua.exe.pif	Sua.exe.pif

pid	process
2764	PING.EXE
5012	PING.EXE

pid	process
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif

pid	process
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif

pid	process
1092	Sua.exe.pif
1092	Sua.exe.pif
1092	Sua.exe.pif

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ac006a4066fd3316240b6fe107569209.execmd.execmd.exeSua.exe.pif

description	pid	process	target process
PID 372 wrote to memory of 4452	372	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 372 wrote to memory of 4452	372	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 372 wrote to memory of 4452	372	ac006a4066fd3316240b6fe107569209.exe	WerFault.exe
PID 372 wrote to memory of 3068	372	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 372 wrote to memory of 3068	372	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 372 wrote to memory of 3068	372	ac006a4066fd3316240b6fe107569209.exe	cmd.exe
PID 3068 wrote to memory of 4588	3068	cmd.exe	cmd.exe
PID 3068 wrote to memory of 4588	3068	cmd.exe	cmd.exe
PID 3068 wrote to memory of 4588	3068	cmd.exe	cmd.exe
PID 4588 wrote to memory of 2168	4588	cmd.exe	findstr.exe
PID 4588 wrote to memory of 2168	4588	cmd.exe	findstr.exe
PID 4588 wrote to memory of 2168	4588	cmd.exe	findstr.exe
PID 4588 wrote to memory of 1092	4588	cmd.exe	Sua.exe.pif
PID 4588 wrote to memory of 1092	4588	cmd.exe	Sua.exe.pif
PID 4588 wrote to memory of 1092	4588	cmd.exe	Sua.exe.pif
PID 4588 wrote to memory of 2764	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 2764	4588	cmd.exe	PING.EXE
PID 4588 wrote to memory of 2764	4588	cmd.exe	PING.EXE
PID 3068 wrote to memory of 5012	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 5012	3068	cmd.exe	PING.EXE
PID 3068 wrote to memory of 5012	3068	cmd.exe	PING.EXE
PID 1092 wrote to memory of 4980	1092	Sua.exe.pif	Sua.exe.pif
PID 1092 wrote to memory of 4980	1092	Sua.exe.pif	Sua.exe.pif
PID 1092 wrote to memory of 4980	1092	Sua.exe.pif	Sua.exe.pif
PID 1092 wrote to memory of 4980	1092	Sua.exe.pif	Sua.exe.pif
PID 1092 wrote to memory of 4980	1092	Sua.exe.pif	Sua.exe.pif

C:\Users\Admin\AppData\Local\Temp\ac006a4066fd3316240b6fe107569209.exe
"C:\Users\Admin\AppData\Local\Temp\ac006a4066fd3316240b6fe107569209.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\WerFault.exe
WerFault.exe //////
2⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Ora.cda & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:3068

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^iUwMLwdQGUrlDeCntUResRJVqLgQgginvUHAyFyHCejmYCZZmUaizzbdkyMZNACaMFOJcwznPpAfFpWbMgdzVqtrbsgZTyUwmUMzOfEbBTalToKwoghnppvMBLjrMzFJgnPKbDJ$" Plasmare.cda
4⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Sua.exe.pif a
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1092

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
5⤵
- Executes dropped EXE
PID:4980

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:2764

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:5012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bel.cda
Filesize
710KB

MD5
92fcb108844d3e7127dcc7287eb34ad9

SHA1
32fa7ab353e179415fa9bae033d9a58330e7030d

SHA256
5b95309f549121e405f8c45cafbead07348be530d756465306cc325697553946

SHA512
54d52174085bfa019bef204a4622c50467ee5c056777e162d27686922edaeba3180460458c1675b4c2f5c4b70d52842d8d35d9acdafb997c71507a844b8f49b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OdsxtHBXvACZS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OdsxtHBXvACZS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OdsxtHBXvACZS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OdsxtHBXvACZS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OdsxtHBXvACZS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\OdsxtHBXvACZS.dll
Filesize
1.6MB

MD5
4f3387277ccbd6d1f21ac5c07fe4ca68

SHA1
e16506f662dc92023bf82def1d621497c8ab5890

SHA256
767a3fc4a7a6818cdc3f0b99aaa95db694f6bcde719d2057a88b3d4df3d74fac

SHA512
9da199ac69e3c0d4e0c6307e0ab8178f12cc25cb2f14c3511f6b64e6e60a925c860f3263cb38353a97b55a71ef4d27f8cb7fa3cfc08e7c1a349fd8d209dfa219

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ora.cda
Filesize
8KB

MD5
1e556573aab916a0da587d261b72f254

SHA1
8ac14add8d4092c1bfaa21bf75f158b00f0f2d0c

SHA256
a3ad93f8f7feece6c972c7a211ecf8670641cea65eb0fa778e9564691523f22b

SHA512
d4f9294b8550c30b4f32b0635a598bd20c15958194e4570827a07b1dd2d9614e7958147338937d606a111ba1b7fdf7e14323259fecf6c4d31096881a5de926f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Plasmare.cda
Filesize
924KB

MD5
8fbc8dfd866fcbcc2ddebd5461d21dcb

SHA1
a9131b4a3bb23748f61fe01b9e361c9523951a2d

SHA256
7f1f6566d5f4cd773d1d8630a72b28df644d5c57f00746c3c542ed5db7d6f114

SHA512
fa79500c67ba2ace40cd2c925c33c1c2625a9f99fbed67b2c1806c511106526b46c154104803d13c5e9a0657cb2e785f0f2f9a9cb305d343ba09b86a4c0ac97a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Sua.exe.pif
Filesize
924KB

MD5
6987e4cd3f256462f422326a7ef115b9

SHA1
71672a495b4603ecfec40a65254cb3ba8766bbe0

SHA256
3e26723394ade92f8163b5643960189cb07358b0f96529a477d37176d68aa0a0

SHA512
4b1d7f7ffee39a2d65504767beeddd4c3374807a93889b14e7e73db11e478492dec349aedca03ce828f21a66bb666a68d3735443f4249556e10825a4cd7dfeb4

Download Submit
memory/1092-139-0x0000000000000000-mapping.dmp

Download
memory/2168-136-0x0000000000000000-mapping.dmp

Download
memory/2764-141-0x0000000000000000-mapping.dmp

Download
memory/3068-133-0x0000000000000000-mapping.dmp

Download
memory/4452-132-0x0000000000000000-mapping.dmp

Download
memory/4588-135-0x0000000000000000-mapping.dmp

Download
memory/4980-149-0x0000000001630000-0x0000000001637000-memory.dmp

Filesize
28KB

Download
memory/4980-144-0x0000000000000000-mapping.dmp

Download
memory/4980-155-0x0000000001630000-0x0000000001637000-memory.dmp

Filesize
28KB

Download
memory/5012-142-0x0000000000000000-mapping.dmp

Download