systembc | b1852de0ce746f19baffdcb3a694b3a65a5dc813e2dfc0046da9474401f1ecbb

General

Target

189e395afb4efe7bc8e300b644c1b290.exe
Size

1.8MB
MD5

189e395afb4efe7bc8e300b644c1b290
SHA1

eabb53d1508bc5855360b387beb91429eff26f60
SHA256

b1852de0ce746f19baffdcb3a694b3a65a5dc813e2dfc0046da9474401f1ecbb
SHA512

90ae2566ca1b63840c9a088b754c7097e823a4c24ea7436948c2566d052031f7f18d9666e4e150eed2e09b76df14b41c1e6fd1975ee0dd89baca5602c72b0141
SSDEEP

49152:rOf7VkgZ41jwavGHKtNq8zE6AIQwX+LwULebD/M:rOfBx41PvrtNlAchOLIM

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

89.22.225.242:4193

195.2.93.22:4193

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

qui quequeh jos popipo fiqui xobeneja xepo.exe

pid process

2212 qui quequeh jos popipo fiqui xobeneja xepo.exe

pid	process
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

189e395afb4efe7bc8e300b644c1b290.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	189e395afb4efe7bc8e300b644c1b290.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4308 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3724 PING.EXE

pid	process
4308	schtasks.exe

pid	process
3724	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

189e395afb4efe7bc8e300b644c1b290.exequi quequeh jos popipo fiqui xobeneja xepo.exe

pid	process
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
4992	189e395afb4efe7bc8e300b644c1b290.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe
2212	qui quequeh jos popipo fiqui xobeneja xepo.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

189e395afb4efe7bc8e300b644c1b290.execmd.exe

description	pid	process	target process
PID 4992 wrote to memory of 4308	4992	189e395afb4efe7bc8e300b644c1b290.exe	schtasks.exe
PID 4992 wrote to memory of 4308	4992	189e395afb4efe7bc8e300b644c1b290.exe	schtasks.exe
PID 4992 wrote to memory of 4308	4992	189e395afb4efe7bc8e300b644c1b290.exe	schtasks.exe
PID 4992 wrote to memory of 2212	4992	189e395afb4efe7bc8e300b644c1b290.exe	qui quequeh jos popipo fiqui xobeneja xepo.exe
PID 4992 wrote to memory of 2212	4992	189e395afb4efe7bc8e300b644c1b290.exe	qui quequeh jos popipo fiqui xobeneja xepo.exe
PID 4992 wrote to memory of 2212	4992	189e395afb4efe7bc8e300b644c1b290.exe	qui quequeh jos popipo fiqui xobeneja xepo.exe
PID 4992 wrote to memory of 2164	4992	189e395afb4efe7bc8e300b644c1b290.exe	cmd.exe
PID 4992 wrote to memory of 2164	4992	189e395afb4efe7bc8e300b644c1b290.exe	cmd.exe
PID 4992 wrote to memory of 2164	4992	189e395afb4efe7bc8e300b644c1b290.exe	cmd.exe
PID 2164 wrote to memory of 4892	2164	cmd.exe	chcp.com
PID 2164 wrote to memory of 4892	2164	cmd.exe	chcp.com
PID 2164 wrote to memory of 4892	2164	cmd.exe	chcp.com
PID 2164 wrote to memory of 3724	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 3724	2164	cmd.exe	PING.EXE
PID 2164 wrote to memory of 3724	2164	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\189e395afb4efe7bc8e300b644c1b290.exe
"C:\Users\Admin\AppData\Local\Temp\189e395afb4efe7bc8e300b644c1b290.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\bisita gaxamo\qui quequeh jos popipo fiqui xobeneja xepo.exe"
2⤵
- Creates scheduled task(s)
PID:4308

C:\Users\Admin\bisita gaxamo\qui quequeh jos popipo fiqui xobeneja xepo.exe
"C:\Users\Admin\bisita gaxamo\qui quequeh jos popipo fiqui xobeneja xepo.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\189e395afb4efe7bc8e300b644c1b290.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:4892

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:3724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\bisita gaxamo\qui quequeh jos popipo fiqui xobeneja xepo.exe

Filesize
690.9MB

MD5
c52464f2e2581b83b24f966ffe4389cc

SHA1
8ea7bf55241491cbf615ff4a096f1b1dc62d5dbb

SHA256
2de7552e86d19e4e8dbc97315bdae4017e74108c26381fbf8fbac473f7b913ec

SHA512
32e43b480859b0f2296f0b1f78c61e2ead361d7afcfd07e26f34fa2798a22966578b97d8bd5acfb983bffbc0c13a8e29d3bc502c3e9eda3fce799e2d2b2eca55

Download Submit
memory/2164-139-0x0000000000000000-mapping.dmp

Download
memory/2212-144-0x0000000002D6B000-0x0000000002F09000-memory.dmp

Filesize
1.6MB

Download
memory/2212-145-0x0000000002386000-0x0000000002D52000-memory.dmp

Filesize
9.8MB

Download
memory/2212-152-0x000000000DB90000-0x000000000DC01000-memory.dmp

Filesize
452KB

Download
memory/2212-149-0x000000000DB80000-0x000000000DB87000-memory.dmp

Filesize
28KB

Download
memory/2212-137-0x0000000000000000-mapping.dmp

Download
memory/2212-148-0x000000000DB90000-0x000000000DC01000-memory.dmp

Filesize
452KB

Download
memory/2212-140-0x0000000002386000-0x0000000002D52000-memory.dmp

Filesize
9.8MB

Download
memory/2212-147-0x000000000DB90000-0x000000000DC01000-memory.dmp

Filesize
452KB

Download
memory/2212-146-0x0000000002D6B000-0x0000000002F09000-memory.dmp

Filesize
1.6MB

Download
memory/3724-143-0x0000000000000000-mapping.dmp

Download
memory/4308-136-0x0000000000000000-mapping.dmp

Download
memory/4892-142-0x0000000000000000-mapping.dmp

Download
memory/4992-132-0x000000000256B000-0x0000000002F37000-memory.dmp

Filesize
9.8MB

Download
memory/4992-135-0x0000000002F49000-0x00000000030E7000-memory.dmp

Filesize
1.6MB

Download
memory/4992-141-0x0000000002F49000-0x00000000030E7000-memory.dmp

Filesize
1.6MB

Download
memory/4992-133-0x0000000002F49000-0x00000000030E7000-memory.dmp

Filesize
1.6MB

Download
memory/4992-134-0x000000000256B000-0x0000000002F37000-memory.dmp

Filesize
9.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads