systembc | af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e

Analysis

max time kernel
142s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2023 05:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
Size

5.5MB
MD5

c48a400ccdb846dfeecdb8564ed29e6a
SHA1

a534f99c56d321e2b4cb111e5afbe38ee4dd2fd4
SHA256

af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e
SHA512

7c97935c18cf8bdb575d210b13ebc204c81b60b05036da6bbd3bf755d7a1277fe3e9012977a6d5f4573b52e2b0963c6364f56d0a2092f84909e51883ec02383b
SSDEEP

98304:097RqNuY64Jd70rj4uJUDFsPDDLuTw/mH8JVOYN8G3fPBuY5VGfiVC2jyi/HKqP6:+sNukdU4QN/mcJPVBuMAKsgqqP54

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

5.45.73.25:4246

poolsforyour.com:4246

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CrystalDiskInfo.lnk	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Executes dropped EXE 4 IoCs

pid	Process
2156	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
3432	lmsass.scr
2544	lmsass.sCr

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3432	lmsass.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3432 set thread context of 2544	3432	lmsass.scr	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
3432	lmsass.scr
3432	lmsass.scr
3432	lmsass.scr
3432	lmsass.scr

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3432	lmsass.scr

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 2156	1376	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	85
PID 1376 wrote to memory of 2156	1376	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	85
PID 1376 wrote to memory of 2156	1376	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	85
PID 2156 wrote to memory of 3160	2156	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	86
PID 2156 wrote to memory of 3160	2156	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	86
PID 2156 wrote to memory of 3160	2156	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	86
PID 3160 wrote to memory of 4012	3160	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	87
PID 3160 wrote to memory of 4012	3160	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	87
PID 3160 wrote to memory of 4012	3160	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe	87
PID 4012 wrote to memory of 3432	4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	88
PID 4012 wrote to memory of 3432	4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	88
PID 4012 wrote to memory of 3432	4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	88
PID 4012 wrote to memory of 4752	4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	89
PID 4012 wrote to memory of 4752	4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	89
PID 4012 wrote to memory of 4752	4012	af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp	89
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92
PID 3432 wrote to memory of 2544	3432	lmsass.scr	92

C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
"C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Users\Admin\AppData\Local\Temp\is-GLP0A.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-GLP0A.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$B006A,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe
    "C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Users\Admin\AppData\Local\Temp\is-JJMKH.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JJMKH.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp" /SL5="$C0058,5336595,180224,C:\Users\Admin\AppData\Local\Temp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.exe" /verysilent /sp-
      4⤵
      Drops startup file
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr
        
        "C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr"
        5⤵
        Executes dropped EXE
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3432
      - C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr
        
        "C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.sCr"
        6⤵
        Executes dropped EXE
        
        PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\.cmd""
        5⤵
        
        PID:4752

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
260B

MD5
4af21e3fc07cc9c73f4c50e7901c8c77

SHA1
94c18702bf325aaa2d9c90305d2fe153a9503062

SHA256
bc5610e5d7384956a9b479ac767ef072daf46c92d952a6cf1db6fa2f31eae6d3

SHA512
400bbde81b3e4fe9a3e92e07d34113982aefeeb7867c2c229f585ff02148924fe15fcefa6330992436540620b06702da4ae6192b92997e40d5003a4a99439e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-6OCD5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GLP0A.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GLP0A.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJMKH.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-JJMKH.tmp\af1679585c261a5a4490b7848e65d45b6bc030fa124e75cccc2ac28e615d041e.tmp

Filesize
1.5MB

MD5
52b26165c6e3716fb6a13f90199b8945

SHA1
af0276a652e8ee18b2275d1182305c78275852bb

SHA256
9db907ea722ff077ccb615d1e78c9c948a019e820ea732a380f0e0ed1cf812bc

SHA512
38e6623bc859addf36e8f9e4caecd0947338a56912c4fa6876af969138efcb3af4a65ccbe4f609bb81f07df87a73eb539b66a0508a51dc62a4295ba40d90b3c6

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
C:\Users\Admin\AppData\Roaming\CrystalDiskInfo8.17.4\lmsass.scr

Filesize
5.3MB

MD5
1fe7083d76e76df3f3d571beb38669fb

SHA1
dfd0b4769a35ec89b1e3a67f619d9e0437c7f022

SHA256
3993cae18dd547c0a2836ee251f250f4e691b1947a81816695236c971f848b87

SHA512
a1ed0ea9c5835fdc43715b547bf7630a73b3a4fc02243dfb05d1462cab194fc4f98b61a22698c62060d00654452f6a8cf158df3e7716a48062a867b67ca3fe70

Download Submit
memory/1376-154-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1376-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1376-144-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2156-152-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2156-145-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download
memory/2156-139-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2544-188-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2544-192-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/2544-191-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3160-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3160-176-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3432-180-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/3432-181-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/3432-182-0x0000000001070000-0x0000000001071000-memory.dmp

Filesize
4KB

Download
memory/3432-183-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/3432-184-0x0000000000400000-0x0000000000D54000-memory.dmp

Filesize
9.3MB

Download
memory/3432-179-0x0000000001040000-0x0000000001041000-memory.dmp

Filesize
4KB

Download
memory/3432-178-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/3432-177-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/4012-162-0x0000000000740000-0x0000000000741000-memory.dmp

Filesize
4KB

Download
memory/4012-175-0x0000000000400000-0x0000000000582000-memory.dmp

Filesize
1.5MB

Download