systembc | d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a

General

Target

D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
Size

255KB
MD5

42355af7e650564732d94c7b60d0cfcb
SHA1

57463c359b84421c21d4a8b4a0641164ee49d5d7
SHA256

d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a
SHA512

ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df
SSDEEP

6144:4tQ/qjV2OueGV+YT2y0xKxJAm16J3VPQ39MUR:8p2uYyvK/j1soMo

Score

10^/10

systembc discovery trojan upx

Malware Config

Extracted

Family

systembc

C2

mdadvertx17.xyz:4044

pkspacex19.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exeicsadgk.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\International\Geo\Nation	icsadgk.exe

Executes dropped EXE 1 IoCs

Processes:

icsadgk.exe

pid process

1104 icsadgk.exe

pid	process
1104	icsadgk.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1776-55-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1776-56-0x0000000000400000-0x0000000000471000-memory.dmp	upx
C:\ProgramData\nhshc\icsadgk.exe	upx
C:\ProgramData\nhshc\icsadgk.exe	upx
behavioral1/memory/1104-66-0x0000000000400000-0x0000000000471000-memory.dmp	upx
behavioral1/memory/1104-67-0x0000000000400000-0x0000000000471000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 2 IoCs

Processes:

D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

description	ioc	process
File created	C:\Windows\Tasks\icsadgk.job	D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
File opened for modification	C:\Windows\Tasks\icsadgk.job	D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

pid process

1776 D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

pid	process
1776	D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 668 wrote to memory of 1104	668	taskeng.exe	icsadgk.exe
PID 668 wrote to memory of 1104	668	taskeng.exe	icsadgk.exe
PID 668 wrote to memory of 1104	668	taskeng.exe	icsadgk.exe
PID 668 wrote to memory of 1104	668	taskeng.exe	icsadgk.exe

C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe
"C:\Users\Admin\AppData\Local\Temp\D7CD8A0D0003D4D6FB0E9B47B5661739FE1B9E8280643.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1776

C:\Windows\system32\taskeng.exe
taskeng.exe {D8796D4B-D062-4775-8E5C-D02BCE3D3152} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:668
- C:\ProgramData\nhshc\icsadgk.exe
  C:\ProgramData\nhshc\icsadgk.exe start2
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:1104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nhshc\icsadgk.exe

Filesize
255KB

MD5
42355af7e650564732d94c7b60d0cfcb

SHA1
57463c359b84421c21d4a8b4a0641164ee49d5d7

SHA256
d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a

SHA512
ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

Download Submit
C:\ProgramData\nhshc\icsadgk.exe

Filesize
255KB

MD5
42355af7e650564732d94c7b60d0cfcb

SHA1
57463c359b84421c21d4a8b4a0641164ee49d5d7

SHA256
d7cd8a0d0003d4d6fb0e9b47b5661739fe1b9e8280643c223d7537a07ad1343a

SHA512
ca3bc88d37a07e00c34c24386fac1768b30e74bcd136a1d164d0718c99ce3f5fd7c9cccb409f5c8dee6591a3fc710c8040faa0c90a31e742ff8c51a320ddb3df

Download Submit
memory/1104-67-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1104-63-0x0000000000000000-mapping.dmp

Download
memory/1104-73-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1104-71-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1104-66-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1776-55-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1776-56-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1776-57-0x0000000072481000-0x0000000072483000-memory.dmp

Filesize
8KB

Download
memory/1776-61-0x0000000002090000-0x0000000002098000-memory.dmp

Filesize
32KB

Download
memory/1776-60-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1776-54-0x00000000753F1000-0x00000000753F3000-memory.dmp

Filesize
8KB

Download
memory/1776-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1776-72-0x0000000000400000-0x0000000000471000-memory.dmp

Filesize
452KB

Download
memory/1776-58-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads