systembc | af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2023 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
Size

5.5MB
MD5

c48a400ccdb846dfeecdb8564ed29e6a
SHA1

a534f99c56d321e2b4cb111e5afbe38ee4dd2fd4
SHA256

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
SHA512

7c97935c18cf8bdb575d210b13ebc204c81b60b05036da6bbd3bf755d7a1277fe3e9012977a6d5f4573b52e2b0963c6364f56d0a2092f84909e51883ec02383b
SSDEEP

98304:097RqNuY64Jd70rj4uJUDFsPDDLuTw/mH8JVOYN8G3fPBuY5VGfiVC2jyi/HKqP6:+sNukdU4QN/mcJPVBuMAKsgqqP54

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

5.45.73.25:4246

poolsforyour.com:4246

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Drops startup file 1 IoCs

Processes:

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Executes dropped EXE 4 IoCs

Processes:

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmpaf1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmplmsass.scrlmsass.sCr

pid	process
1772	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
3148	lmsass.scr
3400	lmsass.sCr

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

lmsass.scr

pid process

3148 lmsass.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

lmsass.scr

description pid process target process

PID 3148 set thread context of 3400 3148 lmsass.scr lmsass.sCr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3148	lmsass.scr

description	pid	process	target process
PID 3148 set thread context of 3400	3148	lmsass.scr	lmsass.sCr

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmplmsass.scr

pid	process
736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
3148	lmsass.scr
3148	lmsass.scr
3148	lmsass.scr
3148	lmsass.scr

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

pid process

736 af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lmsass.scr

pid process

3148 lmsass.scr

pid	process
3148	lmsass.scr

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exeaf1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmpaf1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exeaf1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmplmsass.scr

description	pid	process	target process
PID 2704 wrote to memory of 1772	2704	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 2704 wrote to memory of 1772	2704	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 2704 wrote to memory of 1772	2704	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 1772 wrote to memory of 4636	1772	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
PID 1772 wrote to memory of 4636	1772	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
PID 1772 wrote to memory of 4636	1772	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
PID 4636 wrote to memory of 736	4636	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 4636 wrote to memory of 736	4636	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 4636 wrote to memory of 736	4636	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 736 wrote to memory of 3148	736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	lmsass.scr
PID 736 wrote to memory of 3148	736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	lmsass.scr
PID 736 wrote to memory of 3148	736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	lmsass.scr
PID 736 wrote to memory of 1044	736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	cmd.exe
PID 736 wrote to memory of 1044	736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	cmd.exe
PID 736 wrote to memory of 1044	736	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	cmd.exe
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr
PID 3148 wrote to memory of 3400	3148	lmsass.scr	lmsass.sCr

C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$8003E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-
3⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$9003E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3148

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"
6⤵
- Executes dropped EXE
PID:3400

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""
5⤵
PID:1044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd
Filesize
260B

MD5
4af21e3fc07cc9c73f4c50e7901c8c77

SHA1
94c18702bf325aaa2d9c90305d2fe153a9503062

SHA256
bc5610e5d7384956a9b479ac767ef072daf46c92d952a6cf1db6fa2f31eae6d3

SHA512
400bbde81b3e4fe9a3e92e07d34113982aefeeb7867c2c229f585ff02148924fe15fcefa6330992436540620b06702da4ae6192b92997e40d5003a4a99439e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K21N9.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
memory/736-170-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/736-158-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1772-148-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1772-143-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2704-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2704-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3148-179-0x0000000002B30000-0x0000000002B31000-memory.dmp

Filesize
4KB

Download
memory/3148-173-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/3148-174-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3148-175-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3148-176-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/3148-177-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/3148-178-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/3148-180-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/3400-184-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3400-187-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3400-188-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4636-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4636-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download