systembc | 96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c0827b80b8450ed442d0a5afbc1324c.exe
Size

923KB
MD5

0c0827b80b8450ed442d0a5afbc1324c
SHA1

f212fc466d539f1b327e0f23269c4d2818e9bbfb
SHA256

96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a
SHA512

75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c
SSDEEP

6144:zuK8X8DB2w0M4/Pwj33eCWhBZMZ0AO5Z1YS:zgXWB0V/Pwj6LY

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

5.42.95.122:4308

194.87.111.29:4308

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows\CurrentVersion\Run	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe'\""	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0c0827b80b8450ed442d0a5afbc1324c.exe

description pid process target process

PID 748 set thread context of 3164 748 0c0827b80b8450ed442d0a5afbc1324c.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3152 748 WerFault.exe 0c0827b80b8450ed442d0a5afbc1324c.exe

description	pid	process	target process
PID 748 set thread context of 3164	748	0c0827b80b8450ed442d0a5afbc1324c.exe	RegSvcs.exe

pid	pid_target	process	target process
3152	748	WerFault.exe	0c0827b80b8450ed442d0a5afbc1324c.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

0c0827b80b8450ed442d0a5afbc1324c.exe

description	pid	process	target process
PID 748 wrote to memory of 3164	748	0c0827b80b8450ed442d0a5afbc1324c.exe	RegSvcs.exe
PID 748 wrote to memory of 3164	748	0c0827b80b8450ed442d0a5afbc1324c.exe	RegSvcs.exe
PID 748 wrote to memory of 3164	748	0c0827b80b8450ed442d0a5afbc1324c.exe	RegSvcs.exe
PID 748 wrote to memory of 3164	748	0c0827b80b8450ed442d0a5afbc1324c.exe	RegSvcs.exe
PID 748 wrote to memory of 3164	748	0c0827b80b8450ed442d0a5afbc1324c.exe	RegSvcs.exe

C:\Users\Admin\AppData\Local\Temp\0c0827b80b8450ed442d0a5afbc1324c.exe
"C:\Users\Admin\AppData\Local\Temp\0c0827b80b8450ed442d0a5afbc1324c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
PID:3164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 252
2⤵
- Program crash
PID:3152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 748 -ip 748
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3164-133-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3164-139-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3164-140-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download