systembc | 2ba9e1fa5bac1c4ff40a3d1301e730cff2007f7bbec73997b60b679c46f304de

General

Target

adobe.exe
Size

475.6MB
MD5

3450e33a31a58590b7b0f76d95f1c15b
SHA1

ee672c96f12484c3dae64fd964a4427b3cc6565b
SHA256

2ba9e1fa5bac1c4ff40a3d1301e730cff2007f7bbec73997b60b679c46f304de
SHA512

fa3558fce1eb2549586477f080ed3f1dcc730c6d30eb9fc10c1a9b7c67ab8c906f245618855711fa26ed41216a8863f348d75af24fe8dbf5783508ac5013efa7
SSDEEP

49152:ZC6nMrcpEgloAXxQ8+vHe1NkQLUEHgnpY:ZNBjloAhR+/m+Ugn

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

45.138.74.200:4001

212.8.244.5:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

adobe.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation adobe.exe
Executes dropped EXE 1 IoCs

Processes:

Filedifi siteyig.exe

pid process

672 Filedifi siteyig.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3292 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

792 PING.EXE

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	adobe.exe

pid	process
672	Filedifi siteyig.exe

pid	process
3292	schtasks.exe

pid	process
792	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

adobe.exeFiledifi siteyig.exe

pid	process
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
2376	adobe.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe
672	Filedifi siteyig.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

adobe.execmd.exe

description	pid	process	target process
PID 2376 wrote to memory of 3292	2376	adobe.exe	schtasks.exe
PID 2376 wrote to memory of 3292	2376	adobe.exe	schtasks.exe
PID 2376 wrote to memory of 3292	2376	adobe.exe	schtasks.exe
PID 2376 wrote to memory of 672	2376	adobe.exe	Filedifi siteyig.exe
PID 2376 wrote to memory of 672	2376	adobe.exe	Filedifi siteyig.exe
PID 2376 wrote to memory of 672	2376	adobe.exe	Filedifi siteyig.exe
PID 2376 wrote to memory of 1628	2376	adobe.exe	cmd.exe
PID 2376 wrote to memory of 1628	2376	adobe.exe	cmd.exe
PID 2376 wrote to memory of 1628	2376	adobe.exe	cmd.exe
PID 1628 wrote to memory of 3304	1628	cmd.exe	chcp.com
PID 1628 wrote to memory of 3304	1628	cmd.exe	chcp.com
PID 1628 wrote to memory of 3304	1628	cmd.exe	chcp.com

C:\Users\Admin\AppData\Local\Temp\adobe.exe
"C:\Users\Admin\AppData\Local\Temp\adobe.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe"
2⤵
- Creates scheduled task(s)
PID:3292

C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe
"C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
3⤵
PID:2512

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\adobe.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:3304

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:792

C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
1⤵
PID:3336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240567468.dll
Filesize
334KB

MD5
4cb75f40755bf606f8a5f1b0bc1db511

SHA1
0e4fd3965245063a55ab411016a98c52e3498bca

SHA256
4c3b45b602867d875c6377fca5823a5134f991858d69efce61cccf63b3eadc3f

SHA512
2e54c0c7dba5cd54362a0d9a9407431faed52aba86acefe3843e509c316e9f51f12f6f17d2762f42d3c5e1f588bb774d0c9683c7f9527cf33a8a0c12634cef48

Download Submit
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe
Filesize
106.4MB

MD5
81b828f81ffc24f3dc7e4c408f883f29

SHA1
c4c2d220ec3624b811dd8f778d8cff5c6059725b

SHA256
4c6c9aff748477ba78c0c90c6e06caa1a3b4cb9aa78d2bdb53916e421b28565d

SHA512
19dcd2783e8e6d26fcd6aac0c89194e7a14e3765d34e749b6d840a08e2a7b7d661cd14cdc540179dd7d1734fbca17d3bbb6f16ed9bdeb0a2618d0fa6ef6f6659

Download Submit
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe
Filesize
115.6MB

MD5
a55c2eb1ff89145324afe972bdea5148

SHA1
30c5a24de32793a6998384aec12efdfb26f42f15

SHA256
0e44c8ba87f6fa6d410b3f5dde4a9c75ce92f05d7d034bc85b077ade053cfa84

SHA512
5803e9c5717a6f25a10e6fb4c5b5e9f394a7318f814bad1497237a1d0897db73a592c4cc87c4a7c0e3cbc8b3cf6b1ed027f3f3915d7085c02331589ce16d92a7

Download Submit
C:\Users\Admin\Jis loyakaga codaf nata cabiki\Filedifi siteyig.exe
Filesize
111.5MB

MD5
5283ee8e518e4ffd132386b9c85f91eb

SHA1
9eef4bd93127b94f0ebd3964e5f2f82f4afd470a

SHA256
a5621ceb7adc05be72ab67b03c9002f54715db073be8bde087179a0d71169bb1

SHA512
a81412bdae1d20e793585e5104307e1cb22a0e32d6cb9ee27031c811e3dea349f7944c5a65222c031ce77d6e893d6c69641dcc08c5606c90b313a03d38779503

Download Submit
memory/672-144-0x000000000D8B0000-0x000000000D919000-memory.dmp

Filesize
420KB

Download
memory/2512-145-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2512-147-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2512-148-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2512-149-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3336-154-0x0000000000820000-0x0000000000853000-memory.dmp

Filesize
204KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads