systembc | af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25-04-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.5MB
MD5

c48a400ccdb846dfeecdb8564ed29e6a
SHA1

a534f99c56d321e2b4cb111e5afbe38ee4dd2fd4
SHA256

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
SHA512

7c97935c18cf8bdb575d210b13ebc204c81b60b05036da6bbd3bf755d7a1277fe3e9012977a6d5f4573b52e2b0963c6364f56d0a2092f84909e51883ec02383b
SSDEEP

98304:097RqNuY64Jd70rj4uJUDFsPDDLuTw/mH8JVOYN8G3fPBuY5VGfiVC2jyi/HKqP6:+sNukdU4QN/mcJPVBuMAKsgqqP54

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

5.45.73.25:4246

poolsforyour.com:4246

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1548 cmd.exe
Drops startup file 1 IoCs

Processes:

file.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk file.tmp
Executes dropped EXE 4 IoCs

Processes:

file.tmpfile.tmplmsass.scrlmsass.sCr

pid process

1256 file.tmp
908 file.tmp
804 lmsass.scr
2008 lmsass.sCr
Loads dropped DLL 8 IoCs

Processes:

file.exefile.tmpfile.exefile.tmp

pid process

1672 file.exe
1256 file.tmp
1256 file.tmp
564 file.exe
908 file.tmp
908 file.tmp
908 file.tmp
908 file.tmp
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

lmsass.scr

pid process

804 lmsass.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

lmsass.scr

description pid process target process

PID 804 set thread context of 2008 804 lmsass.scr lmsass.sCr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

file.tmplmsass.scr

pid process

908 file.tmp
908 file.tmp
804 lmsass.scr
804 lmsass.scr
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

file.tmp

pid process

908 file.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lmsass.scr

pid process

804 lmsass.scr

pid	process
1548	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk	file.tmp

pid	process
1256	file.tmp
908	file.tmp
804	lmsass.scr
2008	lmsass.sCr

pid	process
1672	file.exe
1256	file.tmp
1256	file.tmp
564	file.exe
908	file.tmp
908	file.tmp
908	file.tmp
908	file.tmp

pid	process
804	lmsass.scr

description	pid	process	target process
PID 804 set thread context of 2008	804	lmsass.scr	lmsass.sCr

pid	process
908	file.tmp
908	file.tmp
804	lmsass.scr
804	lmsass.scr

pid	process
908	file.tmp

pid	process
804	lmsass.scr

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

file.exefile.tmpfile.exefile.tmplmsass.scr

description	pid	process	target process
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1672 wrote to memory of 1256	1672	file.exe	file.tmp
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 1256 wrote to memory of 564	1256	file.tmp	file.exe
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 564 wrote to memory of 908	564	file.exe	file.tmp
PID 908 wrote to memory of 804	908	file.tmp	lmsass.scr
PID 908 wrote to memory of 804	908	file.tmp	lmsass.scr
PID 908 wrote to memory of 804	908	file.tmp	lmsass.scr
PID 908 wrote to memory of 804	908	file.tmp	lmsass.scr
PID 908 wrote to memory of 1548	908	file.tmp	cmd.exe
PID 908 wrote to memory of 1548	908	file.tmp	cmd.exe
PID 908 wrote to memory of 1548	908	file.tmp	cmd.exe
PID 908 wrote to memory of 1548	908	file.tmp	cmd.exe
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr
PID 804 wrote to memory of 2008	804	lmsass.scr	lmsass.sCr

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp" /SL5="$70126,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp" /SL5="$80126,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:908

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:804

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"
6⤵
- Executes dropped EXE
PID:2008

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""
5⤵
- Deletes itself
PID:1548

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd
Filesize
140B

MD5
1a1225d2f25de2d1d1134d4e444cfee0

SHA1
482d3466846d4dd5a94db1bca7bc7904064e5da7

SHA256
c653c4aa6971f1dbb0fa7a68bcbb82fffd0c230e82927a923916ec6c1975b742

SHA512
92984bfc2d6a608ef460de16ea927c7f72aea5f53e8259e24383e4295eb8581e282b42c2a04b9714add1f794a8c7473cbaf830535ddc18b551a6d3737c46c06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-NV4CQ.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
\Users\Admin\AppData\Local\Temp\is-85AM9.tmp\file.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-A697G.tmp\file.tmp
Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
\Users\Admin\AppData\Local\Temp\is-NV4CQ.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NV4CQ.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-T96N9.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-T96N9.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
memory/564-103-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/564-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/804-107-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/804-122-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/804-126-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/804-106-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/804-105-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/804-125-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/804-109-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/804-110-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/804-108-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/804-112-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/804-113-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/804-115-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/804-116-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/804-118-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/804-119-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/804-123-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/804-121-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/804-124-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/908-101-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/908-90-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1256-69-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/1672-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1672-73-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-133-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-132-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-134-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-135-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-136-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2008-137-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-131-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2008-141-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download