systembc | efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1

General

Target

3aad6e79569fcc68f0b8530225e08743.exe
Size

2.2MB
MD5

3aad6e79569fcc68f0b8530225e08743
SHA1

e1247952bedea6d68c471b779d673167d5e1d774
SHA256

efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1
SHA512

b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d
SSDEEP

49152:Il8pLho6EEJZHFqdBiNz0ywwO++wddZHyo:8ULxEaHr0ywwO+RZHyo

Score

10^/10

systembc evasion trojan

Malware Config

Extracted

Family

systembc

C2

cryptotab.me:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

pluwd.exepluwd.exe3aad6e79569fcc68f0b8530225e08743.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pluwd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	pluwd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3aad6e79569fcc68f0b8530225e08743.exe

Executes dropped EXE 2 IoCs

Processes:

pluwd.exepluwd.exe

pid process

568 pluwd.exe
1840 pluwd.exe

pid	process
568	pluwd.exe
1840	pluwd.exe

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

pluwd.exepluwd.exe3aad6e79569fcc68f0b8530225e08743.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pluwd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pluwd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	pluwd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	pluwd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3aad6e79569fcc68f0b8530225e08743.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3aad6e79569fcc68f0b8530225e08743.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

3aad6e79569fcc68f0b8530225e08743.exepluwd.exepluwd.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	3aad6e79569fcc68f0b8530225e08743.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	pluwd.exe
Key opened	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Wine	pluwd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

3aad6e79569fcc68f0b8530225e08743.exepluwd.exepluwd.exe

pid process

1124 3aad6e79569fcc68f0b8530225e08743.exe
568 pluwd.exe
1840 pluwd.exe

pid	process
1124	3aad6e79569fcc68f0b8530225e08743.exe
568	pluwd.exe
1840	pluwd.exe

Drops file in Windows directory 2 IoCs

Processes:

3aad6e79569fcc68f0b8530225e08743.exe

description	ioc	process
File created	C:\Windows\Tasks\pluwd.job	3aad6e79569fcc68f0b8530225e08743.exe
File opened for modification	C:\Windows\Tasks\pluwd.job	3aad6e79569fcc68f0b8530225e08743.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

3aad6e79569fcc68f0b8530225e08743.exepluwd.exepluwd.exe

pid process

1124 3aad6e79569fcc68f0b8530225e08743.exe
1124 3aad6e79569fcc68f0b8530225e08743.exe
568 pluwd.exe
1840 pluwd.exe

pid	process
1124	3aad6e79569fcc68f0b8530225e08743.exe
1124	3aad6e79569fcc68f0b8530225e08743.exe
568	pluwd.exe
1840	pluwd.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 888 wrote to memory of 568	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 568	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 568	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 568	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 1840	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 1840	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 1840	888	taskeng.exe	pluwd.exe
PID 888 wrote to memory of 1840	888	taskeng.exe	pluwd.exe

C:\Users\Admin\AppData\Local\Temp\3aad6e79569fcc68f0b8530225e08743.exe
"C:\Users\Admin\AppData\Local\Temp\3aad6e79569fcc68f0b8530225e08743.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1124

C:\Windows\system32\taskeng.exe
taskeng.exe {17D27E6D-D5EC-4810-9AD8-D4888393DA0C} S-1-5-21-1214520366-621468234-4062160515-1000:VDWSWJJD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\ProgramData\jdxb\pluwd.exe
C:\ProgramData\jdxb\pluwd.exe start2
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:568

C:\ProgramData\jdxb\pluwd.exe
C:\ProgramData\jdxb\pluwd.exe start2
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1840

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jdxb\pluwd.exe
Filesize
2.2MB

MD5
3aad6e79569fcc68f0b8530225e08743

SHA1
e1247952bedea6d68c471b779d673167d5e1d774

SHA256
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1

SHA512
b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d

Download Submit
C:\ProgramData\jdxb\pluwd.exe
Filesize
2.2MB

MD5
3aad6e79569fcc68f0b8530225e08743

SHA1
e1247952bedea6d68c471b779d673167d5e1d774

SHA256
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1

SHA512
b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d

Download Submit
C:\ProgramData\jdxb\pluwd.exe
Filesize
2.2MB

MD5
3aad6e79569fcc68f0b8530225e08743

SHA1
e1247952bedea6d68c471b779d673167d5e1d774

SHA256
efb2b92a9ad40fb2d039fed04162ec421d3fd4bcd86adedbcb52d03ed5b742c1

SHA512
b30938d0210f9864f1165348f7bdbc1b6732687e8ee4a013b2c53f0ca0d212f8722cc8c6c4c187645f04d614cf2a21707869812c04ff551057f4d969141ab50d

Download Submit
memory/568-61-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/568-66-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/568-64-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/568-59-0x0000000000000000-mapping.dmp

Download
memory/1124-62-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/1124-54-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/1124-57-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/1124-65-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/1124-56-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/1124-55-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1840-67-0x0000000000000000-mapping.dmp

Download
memory/1840-69-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/1840-71-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download
memory/1840-72-0x0000000000400000-0x00000000009C3000-memory.dmp

Filesize
5.8MB

Download
memory/1840-73-0x0000000076FB0000-0x0000000077130000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads