systembc | 22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55

General

Target

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
Size

700.4MB
MD5

96319a877bcdee0b4788a88b69b1f215
SHA1

6e1645c605965b20fab6775c0b676401cbbff00d
SHA256

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55
SHA512

b2fcfe7a1a75b24323ba0ff96821c1561932f0c06136c4100b05eddfd667f9aecf6d488eed12c8cda52c2d9789d9120a24b7e16fc90b2c75d521563211c302c8
SSDEEP

6144:/EopXhSxHralFw1nXEjb5QM0Pq5Ml2QOyAm2c84fHNArD7V/2c84fH:2rkSnXEjupPa1QdAm2lgNCDx/2lg

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

C2

178.20.44.196:4127

192.168.1.149:4127

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,C:\\Users\\Admin\\AppData\\Roaming\\nvmcache\\raadmin.exe,"	reg.exe

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

raadmin.exe

pid process

1860 raadmin.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

392 cmd.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

raadmin.exe

description pid process target process

PID 1860 set thread context of 1608 1860 raadmin.exe jsc.exe
Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXEPING.EXE

pid process

536 PING.EXE
632 PING.EXE
2000 PING.EXE

pid	process
1860	raadmin.exe

pid	process
392	cmd.exe

description	pid	process	target process
PID 1860 set thread context of 1608	1860	raadmin.exe	jsc.exe

pid	process
536	PING.EXE
632	PING.EXE
2000	PING.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exeraadmin.exe

pid	process
652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
1860	raadmin.exe
1860	raadmin.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exeraadmin.exe

description	pid	process
Token: SeDebugPrivilege	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
Token: SeDebugPrivilege	1860	raadmin.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.execmd.execmd.exeraadmin.exe

description	pid	process	target process
PID 652 wrote to memory of 1052	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 652 wrote to memory of 1052	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 652 wrote to memory of 1052	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 652 wrote to memory of 1052	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 1052 wrote to memory of 536	1052	cmd.exe	PING.EXE
PID 1052 wrote to memory of 536	1052	cmd.exe	PING.EXE
PID 1052 wrote to memory of 536	1052	cmd.exe	PING.EXE
PID 1052 wrote to memory of 536	1052	cmd.exe	PING.EXE
PID 652 wrote to memory of 392	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 652 wrote to memory of 392	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 652 wrote to memory of 392	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 652 wrote to memory of 392	652	22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe	cmd.exe
PID 392 wrote to memory of 632	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 632	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 632	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 632	392	cmd.exe	PING.EXE
PID 1052 wrote to memory of 844	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 844	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 844	1052	cmd.exe	reg.exe
PID 1052 wrote to memory of 844	1052	cmd.exe	reg.exe
PID 392 wrote to memory of 2000	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 2000	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 2000	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 2000	392	cmd.exe	PING.EXE
PID 392 wrote to memory of 1860	392	cmd.exe	raadmin.exe
PID 392 wrote to memory of 1860	392	cmd.exe	raadmin.exe
PID 392 wrote to memory of 1860	392	cmd.exe	raadmin.exe
PID 392 wrote to memory of 1860	392	cmd.exe	raadmin.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe
PID 1860 wrote to memory of 1608	1860	raadmin.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe
"C:\Users\Admin\AppData\Local\Temp\22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 57 > nul && REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe,"
2⤵
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 57
3⤵
- Runs ping.exe
PID:536

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /f /v "Shell" /t REG_SZ /d "explorer.exe,C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe,"
3⤵
- Modifies WinLogon for persistence
PID:844

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 69 > nul && copy "C:\Users\Admin\AppData\Local\Temp\22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55.exe" "C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe" && ping 127.0.0.1 -n 69 > nul && "C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 69
3⤵
- Runs ping.exe
PID:632

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 69
3⤵
- Runs ping.exe
PID:2000

C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe
"C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
4⤵
PID:1608

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1

T1004

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe
Filesize
700.4MB

MD5
96319a877bcdee0b4788a88b69b1f215

SHA1
6e1645c605965b20fab6775c0b676401cbbff00d

SHA256
22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55

SHA512
b2fcfe7a1a75b24323ba0ff96821c1561932f0c06136c4100b05eddfd667f9aecf6d488eed12c8cda52c2d9789d9120a24b7e16fc90b2c75d521563211c302c8

Download Submit
C:\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe
Filesize
700.4MB

MD5
96319a877bcdee0b4788a88b69b1f215

SHA1
6e1645c605965b20fab6775c0b676401cbbff00d

SHA256
22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55

SHA512
b2fcfe7a1a75b24323ba0ff96821c1561932f0c06136c4100b05eddfd667f9aecf6d488eed12c8cda52c2d9789d9120a24b7e16fc90b2c75d521563211c302c8

Download Submit
\Users\Admin\AppData\Roaming\nvmcache\raadmin.exe
Filesize
700.4MB

MD5
96319a877bcdee0b4788a88b69b1f215

SHA1
6e1645c605965b20fab6775c0b676401cbbff00d

SHA256
22ead9286bd771170d6b0dc050c67ff487e140918e9f0b529cde4d867dee9b55

SHA512
b2fcfe7a1a75b24323ba0ff96821c1561932f0c06136c4100b05eddfd667f9aecf6d488eed12c8cda52c2d9789d9120a24b7e16fc90b2c75d521563211c302c8

Download Submit
memory/392-60-0x0000000000000000-mapping.dmp

Download
memory/536-59-0x0000000000000000-mapping.dmp

Download
memory/632-61-0x0000000000000000-mapping.dmp

Download
memory/652-57-0x0000000000700000-0x0000000000718000-memory.dmp

Filesize
96KB

Download
memory/652-54-0x00000000009D0000-0x0000000000A54000-memory.dmp

Filesize
528KB

Download
memory/652-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/652-56-0x0000000000850000-0x0000000000880000-memory.dmp

Filesize
192KB

Download
memory/844-62-0x0000000000000000-mapping.dmp

Download
memory/1052-58-0x0000000000000000-mapping.dmp

Download
memory/1608-78-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1608-82-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1608-77-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1608-79-0x0000000000401000-mapping.dmp

Download
memory/1608-76-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1608-72-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1608-73-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1608-75-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1860-68-0x00000000013E0000-0x0000000001464000-memory.dmp

Filesize
528KB

Download
memory/1860-71-0x0000000000E00000-0x0000000000E06000-memory.dmp

Filesize
24KB

Download
memory/1860-70-0x0000000000B60000-0x0000000000B7A000-memory.dmp

Filesize
104KB

Download
memory/1860-65-0x0000000000000000-mapping.dmp

Download
memory/2000-63-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads