systembc | a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3

General

Target

b1d156c496219977a9cd4355094613f5.exe
Size

1.1MB
MD5

b1d156c496219977a9cd4355094613f5
SHA1

2f0476f22e05455ff4e56171438d16ff87291ea5
SHA256

a2bf4098b65e0efb8bc9cba70cfb5e36d01de5f591d100bb429a5dc3ef6c3bc3
SHA512

cf2b36778aa5a54b082de89b9e0e4404e00cf634ba9d7cfe8a8f21a8a39be0787a042328688af18f6fe6a144d869a73100267e1301cfbbd0701c7c3595dc81cc
SSDEEP

24576:kob9rHzThqel1mK5XJent7IL+PYL65XPr5JfQZZ0WgisS:kE9TTRlvS5YL6ptJfQZiWg3S

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

45.138.74.200:4001

212.8.244.5:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

900 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

Capeteka dileket xehe quele quipabim cokaho.exe

pid process

1000 Capeteka dileket xehe quele quipabim cokaho.exe
Loads dropped DLL 1 IoCs

Processes:

b1d156c496219977a9cd4355094613f5.exe

pid process

1324 b1d156c496219977a9cd4355094613f5.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

520 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1252 PING.EXE

pid	process
900	cmd.exe

pid	process
1000	Capeteka dileket xehe quele quipabim cokaho.exe

pid	process
520	schtasks.exe

pid	process
1252	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

b1d156c496219977a9cd4355094613f5.exeCapeteka dileket xehe quele quipabim cokaho.exe

pid	process
1324	b1d156c496219977a9cd4355094613f5.exe
1324	b1d156c496219977a9cd4355094613f5.exe
1324	b1d156c496219977a9cd4355094613f5.exe
1324	b1d156c496219977a9cd4355094613f5.exe
1324	b1d156c496219977a9cd4355094613f5.exe
1000	Capeteka dileket xehe quele quipabim cokaho.exe
1000	Capeteka dileket xehe quele quipabim cokaho.exe
1000	Capeteka dileket xehe quele quipabim cokaho.exe
1000	Capeteka dileket xehe quele quipabim cokaho.exe
1000	Capeteka dileket xehe quele quipabim cokaho.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

b1d156c496219977a9cd4355094613f5.execmd.exe

description	pid	process	target process
PID 1324 wrote to memory of 520	1324	b1d156c496219977a9cd4355094613f5.exe	schtasks.exe
PID 1324 wrote to memory of 520	1324	b1d156c496219977a9cd4355094613f5.exe	schtasks.exe
PID 1324 wrote to memory of 520	1324	b1d156c496219977a9cd4355094613f5.exe	schtasks.exe
PID 1324 wrote to memory of 520	1324	b1d156c496219977a9cd4355094613f5.exe	schtasks.exe
PID 1324 wrote to memory of 1000	1324	b1d156c496219977a9cd4355094613f5.exe	Capeteka dileket xehe quele quipabim cokaho.exe
PID 1324 wrote to memory of 1000	1324	b1d156c496219977a9cd4355094613f5.exe	Capeteka dileket xehe quele quipabim cokaho.exe
PID 1324 wrote to memory of 1000	1324	b1d156c496219977a9cd4355094613f5.exe	Capeteka dileket xehe quele quipabim cokaho.exe
PID 1324 wrote to memory of 1000	1324	b1d156c496219977a9cd4355094613f5.exe	Capeteka dileket xehe quele quipabim cokaho.exe
PID 1324 wrote to memory of 900	1324	b1d156c496219977a9cd4355094613f5.exe	cmd.exe
PID 1324 wrote to memory of 900	1324	b1d156c496219977a9cd4355094613f5.exe	cmd.exe
PID 1324 wrote to memory of 900	1324	b1d156c496219977a9cd4355094613f5.exe	cmd.exe
PID 1324 wrote to memory of 900	1324	b1d156c496219977a9cd4355094613f5.exe	cmd.exe
PID 900 wrote to memory of 1364	900	cmd.exe	chcp.com
PID 900 wrote to memory of 1364	900	cmd.exe	chcp.com
PID 900 wrote to memory of 1364	900	cmd.exe	chcp.com
PID 900 wrote to memory of 1364	900	cmd.exe	chcp.com
PID 900 wrote to memory of 1252	900	cmd.exe	PING.EXE
PID 900 wrote to memory of 1252	900	cmd.exe	PING.EXE
PID 900 wrote to memory of 1252	900	cmd.exe	PING.EXE
PID 900 wrote to memory of 1252	900	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe
"C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /tn COMSurrogate /f /sc onlogon /rl highest /tr "C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
2⤵
- Creates scheduled task(s)
PID:520

C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
"C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1000

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\b1d156c496219977a9cd4355094613f5.exe"
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\chcp.com
chcp 65001
3⤵
PID:1364

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
3⤵
- Runs ping.exe
PID:1252

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
Filesize
578.4MB

MD5
6d9afe7db15eef56c1170f80b850d70a

SHA1
2f04d0642b79458e7eb5829b78505063305ef1a5

SHA256
f387e80789898cb4700958eddacd925f5d53ecdc22ea05268ce2ad56ca7d63aa

SHA512
741a769c31ac268115bad3e16b01ec07cfa486bc72ddfb9c7b9dd4e414ee16019e3e40641ae74b362e00136101519f5dc5c732d1d52d6c27d25e59da55440670

Download Submit
C:\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
Filesize
619.9MB

MD5
244d5b1af7b9a373286ca558980ff774

SHA1
011508582d678da9f10e7d2608d0dbff865e4b5c

SHA256
a71310c32a0c243fbd20a7102a65c41b63171e34aed6c614985adbbebc6f88e5

SHA512
69ee31f4243381da86c75fe5421aed5e1f3cf32166ea239ff838637504f1c3c2d1290833dc6004e87306e10e7f3b681f44e2baf8bd0d1511f58bb54c5ba2d9ed

Download Submit
\Users\Admin\Xefakevi job lajojib\Capeteka dileket xehe quele quipabim cokaho.exe
Filesize
597.3MB

MD5
f8f4d8224a4fec72fe8fbd2def93e776

SHA1
54a864b13a0a14fc686f13850c9a5b61803668e6

SHA256
c62e3badeae1bff62f2642396c02faa7eb2157b149aa94bb087ab68341754c21

SHA512
5dc06b3593d38d1a115a50f0c5735b0f67b5d678132f33850ce4b77df44f7d024d8645ca086e839a7e1ee76fb1ebb91a2ddc1e31db23a73bd538e29a2f4b8d2e

Download Submit
memory/1000-62-0x0000000000370000-0x000000000045E000-memory.dmp

Filesize
952KB

Download
memory/1000-63-0x0000000000D00000-0x0000000000D4B000-memory.dmp

Filesize
300KB

Download
memory/1000-64-0x00000000002E0000-0x00000000002E6000-memory.dmp

Filesize
24KB

Download
memory/1324-54-0x0000000000450000-0x000000000053E000-memory.dmp

Filesize
952KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads