systembc | 6c278ae9867cbc45cc7be476e60e455f525655e872b2a8231d36490262dbb7bb

Analysis

max time kernel
73s
max time network
98s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 14:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.0MB
MD5

f1fd2b7e551b16db977e670266a1f905
SHA1

7508ad4cbea2e4928c24d58c30bffde57e08b457
SHA256

6c278ae9867cbc45cc7be476e60e455f525655e872b2a8231d36490262dbb7bb
SHA512

c5625741c46b99dc936b9e844c83072ffb8f7e3b8ebcb7629670e9880835fd9b0794b3446193702ad621d9da772da154cc37025e68cab23c076fc9c6ddaec0f2
SSDEEP

49152:w+kVp8hPXfLoABGZLnv5FmANUc9k4LLXW9bYfhof736:wA18ABGZLnv5FeV4/XOYfAz

Score

10^/10

systembc evasion trojan

Malware Config

Extracted

Family

systembc

slavelever.info:4248

slavelevereoewl.info:4248

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

tmp.exetmp.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ tmp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	tmp.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp.exetmp.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	tmp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	tmp.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

tmp.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine tmp.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

tmp.exetmp.exe

pid process

784 tmp.exe
1272 tmp.exe
Drops file in Windows directory 2 IoCs

Processes:

tmp.exe

description ioc process

File created C:\Windows\Tasks\wow64.job tmp.exe
File opened for modification C:\Windows\Tasks\wow64.job tmp.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

tmp.exetmp.exe

pid process

784 tmp.exe
1272 tmp.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Wine	tmp.exe

pid	process
784	tmp.exe
1272	tmp.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	tmp.exe
File opened for modification	C:\Windows\Tasks\wow64.job	tmp.exe

pid	process
784	tmp.exe
1272	tmp.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe
PID 2020 wrote to memory of 1272	2020	taskeng.exe	tmp.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:784

C:\Windows\system32\taskeng.exe
taskeng.exe {59500CA0-F37F-4DCF-A622-3F1AABEB600B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp.exe start
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/784-57-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/784-63-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/784-65-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/1272-58-0x0000000000000000-mapping.dmp

Download
memory/1272-59-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/1272-61-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download
memory/1272-62-0x0000000000400000-0x000000000089A000-memory.dmp

Filesize
4.6MB

Download
memory/1272-64-0x0000000077030000-0x00000000771B0000-memory.dmp

Filesize
1.5MB

Download