systembc | af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2023 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

5.5MB
MD5

c48a400ccdb846dfeecdb8564ed29e6a
SHA1

a534f99c56d321e2b4cb111e5afbe38ee4dd2fd4
SHA256

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
SHA512

7c97935c18cf8bdb575d210b13ebc204c81b60b05036da6bbd3bf755d7a1277fe3e9012977a6d5f4573b52e2b0963c6364f56d0a2092f84909e51883ec02383b
SSDEEP

98304:097RqNuY64Jd70rj4uJUDFsPDDLuTw/mH8JVOYN8G3fPBuY5VGfiVC2jyi/HKqP6:+sNukdU4QN/mcJPVBuMAKsgqqP54

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

5.45.73.25:4246

poolsforyour.com:4246

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

file.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation file.tmp
Drops startup file 1 IoCs

Processes:

file.tmp

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk file.tmp
Executes dropped EXE 4 IoCs

Processes:

file.tmpfile.tmplmsass.scrlmsass.sCr

pid process

5080 file.tmp
3464 file.tmp
2420 lmsass.scr
3068 lmsass.sCr
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

lmsass.scr

pid process

2420 lmsass.scr
Suspicious use of SetThreadContext 1 IoCs

Processes:

lmsass.scr

description pid process target process

PID 2420 set thread context of 3068 2420 lmsass.scr lmsass.sCr
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

file.tmplmsass.scr

pid process

3464 file.tmp
3464 file.tmp
2420 lmsass.scr
2420 lmsass.scr
2420 lmsass.scr
2420 lmsass.scr
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

file.tmp

pid process

3464 file.tmp
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

lmsass.scr

pid process

2420 lmsass.scr

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	file.tmp

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk	file.tmp

pid	process
5080	file.tmp
3464	file.tmp
2420	lmsass.scr
3068	lmsass.sCr

pid	process
2420	lmsass.scr

description	pid	process	target process
PID 2420 set thread context of 3068	2420	lmsass.scr	lmsass.sCr

pid	process
3464	file.tmp
3464	file.tmp
2420	lmsass.scr
2420	lmsass.scr
2420	lmsass.scr
2420	lmsass.scr

pid	process
3464	file.tmp

pid	process
2420	lmsass.scr

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

file.exefile.tmpfile.exefile.tmplmsass.scr

description	pid	process	target process
PID 4960 wrote to memory of 5080	4960	file.exe	file.tmp
PID 4960 wrote to memory of 5080	4960	file.exe	file.tmp
PID 4960 wrote to memory of 5080	4960	file.exe	file.tmp
PID 5080 wrote to memory of 1872	5080	file.tmp	file.exe
PID 5080 wrote to memory of 1872	5080	file.tmp	file.exe
PID 5080 wrote to memory of 1872	5080	file.tmp	file.exe
PID 1872 wrote to memory of 3464	1872	file.exe	file.tmp
PID 1872 wrote to memory of 3464	1872	file.exe	file.tmp
PID 1872 wrote to memory of 3464	1872	file.exe	file.tmp
PID 3464 wrote to memory of 2420	3464	file.tmp	lmsass.scr
PID 3464 wrote to memory of 2420	3464	file.tmp	lmsass.scr
PID 3464 wrote to memory of 2420	3464	file.tmp	lmsass.scr
PID 3464 wrote to memory of 808	3464	file.tmp	cmd.exe
PID 3464 wrote to memory of 808	3464	file.tmp	cmd.exe
PID 3464 wrote to memory of 808	3464	file.tmp	cmd.exe
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr
PID 2420 wrote to memory of 3068	2420	lmsass.scr	lmsass.sCr

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960

C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp" /SL5="$7004E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5080

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-
3⤵
- Suspicious use of WriteProcessMemory
PID:1872

C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp" /SL5="$8004E,5336595,180224,C:\Users\Admin\AppData\Local\Temp\file.exe" /verysilent /sp-
4⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3464

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"
5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420

C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
"C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"
6⤵
- Executes dropped EXE
PID:3068

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""
5⤵
PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
140B

MD5
1a1225d2f25de2d1d1134d4e444cfee0

SHA1
482d3466846d4dd5a94db1bca7bc7904064e5da7

SHA256
c653c4aa6971f1dbb0fa7a68bcbb82fffd0c230e82927a923916ec6c1975b742

SHA512
92984bfc2d6a608ef460de16ea927c7f72aea5f53e8259e24383e4295eb8581e282b42c2a04b9714add1f794a8c7473cbaf830535ddc18b551a6d3737c46c06d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9APH5.tmp\file.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-AF97P.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-HOP04.tmp\file.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
memory/1872-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1872-171-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2420-176-0x0000000002C00000-0x0000000002C01000-memory.dmp

Filesize
4KB

Download
memory/2420-177-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/2420-180-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/2420-179-0x0000000002C40000-0x0000000002C41000-memory.dmp

Filesize
4KB

Download
memory/2420-175-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

Filesize
4KB

Download
memory/2420-173-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2420-174-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/2420-178-0x0000000002C20000-0x0000000002C21000-memory.dmp

Filesize
4KB

Download
memory/3068-187-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3068-184-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3068-188-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3464-170-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/3464-156-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4960-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4960-149-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5080-148-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/5080-143-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download