systembc | 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813

General

Target

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe
Size

1.6MB
MD5

08e3930a42197a422d064569c4778997
SHA1

74832aa332b48422e5d448f5099b397e84c18712
SHA256

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813
SHA512

b70952bc3cd54abcc2c7c1c71b1f16d96a001900574237263a210512a348542e6ec7a05e7fcc0ff5831a200db23fae06f2bbb0f0bb249599fed0fa1761516368
SSDEEP

24576:mzE0vhwHbExPyG6Ci5KqGxgxvgwEL3h3z1MKiA9iS888PXmNkAZvrdt/kFPXjdpr:mtaEpGcqmtwEbhD1ViA9/PjPwPXj3VV

Score

10^/10

systembc evasion persistence trojan

Malware Config

Extracted

Family

systembc

C2

185.161.248.16:4440

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Wine	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Software\Microsoft\Windows\CurrentVersion\Run	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe'\""	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

pid process

4424 322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

pid	process
4424	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe
4424	322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe

C:\Users\Admin\AppData\Local\Temp\322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe
"C:\Users\Admin\AppData\Local\Temp\322626ca37f3929c517b4c0ceeb130836be5f36a1eb68ab0adb00c0f4a3f3813.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4424-133-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-134-0x0000000004910000-0x0000000004911000-memory.dmp

Filesize
4KB

Download
memory/4424-135-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/4424-136-0x00000000048F0000-0x00000000048F1000-memory.dmp

Filesize
4KB

Download
memory/4424-137-0x00000000048E0000-0x00000000048E1000-memory.dmp

Filesize
4KB

Download
memory/4424-138-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-139-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-140-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-141-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-142-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-143-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-144-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-145-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-146-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-147-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-148-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-149-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-150-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download
memory/4424-151-0x0000000000400000-0x000000000083B000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads