Malware Analysis Report

2025-04-03 09:42

Sample ID 230420-hm6s1sab7w
Target af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
SHA256 af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

Threat Level: Known bad

The file af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Executes dropped EXE

Checks computer location settings

Drops startup file

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-20 06:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-20 06:52

Reported

2023-04-20 06:54

Platform

win10v2004-20230220-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"

Signatures

SystemBC

trojan systembc

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3148 set thread context of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 2704 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 2704 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 1772 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
PID 1772 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
PID 1772 wrote to memory of 4636 N/A C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
PID 4636 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 4636 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 4636 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
PID 736 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 736 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 736 wrote to memory of 3148 N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
PID 736 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Windows\SysWOW64\cmd.exe
PID 736 wrote to memory of 1044 N/A C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp C:\Windows\SysWOW64\cmd.exe
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
PID 3148 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

Processes

C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe

"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"

C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$8003E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"

C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe

"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-

C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$9003E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr

"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 5.45.73.25:4246 tcp
US 8.8.8.8:53 25.73.45.5.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 20.42.65.85:443 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
NL 173.223.113.131:80 tcp

Files

memory/2704-133-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-D0KQI.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

memory/1772-143-0x0000000002560000-0x0000000002561000-memory.dmp

memory/4636-146-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1772-148-0x0000000000400000-0x0000000000582000-memory.dmp

memory/2704-149-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-EE1OG.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

MD5 52b26165c6e3716fb6a13f90199b8945
SHA1 af0276a652e8ee18b2275d1182305c78275852bb
SHA256 9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc
SHA512 38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

C:\Users\Admin\AppData\Local\Temp\is-K21N9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/736-158-0x0000000000730000-0x0000000000731000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/736-170-0x0000000000400000-0x0000000000582000-memory.dmp

memory/4636-171-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\.cmd

MD5 4af21e3fc07cc9c73f4c50e7901c8c77
SHA1 94c18702bf325aaa2d9c90305d2fe153a9503062
SHA256 bc5610e5d7384956a9b479ac767ef072daf46c92d952a6cf1db6fa2f31eae6d3
SHA512 400bbde81b3e4fe9a3e92e07d34113982aefeeb7867c2c229f585ff02148924fe15fcefa6330992436540620b06702da4ae6192b92997e40d5003a4a99439e8c

memory/3148-173-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/3148-174-0x0000000000F10000-0x0000000000F11000-memory.dmp

memory/3148-175-0x0000000000F30000-0x0000000000F31000-memory.dmp

memory/3148-176-0x0000000002B00000-0x0000000002B01000-memory.dmp

memory/3148-177-0x0000000002B10000-0x0000000002B11000-memory.dmp

memory/3148-178-0x0000000002B20000-0x0000000002B21000-memory.dmp

memory/3148-179-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/3148-180-0x0000000000400000-0x0000000000D54000-memory.dmp

memory/3400-184-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

MD5 1fe7083d76e76df3f3d571beb38669fb
SHA1 dfd0b4769a35ec89b1e3a67f619d9e0437c7f022
SHA256 3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87
SHA512 a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

memory/3400-187-0x0000000000400000-0x0000000000406000-memory.dmp

memory/3400-188-0x0000000000400000-0x0000000000406000-memory.dmp