systembc | 96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a

Analysis

max time kernel
132s
max time network
134s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
12-06-2023 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02696699.exe
Size

923KB
MD5

0c0827b80b8450ed442d0a5afbc1324c
SHA1

f212fc466d539f1b327e0f23269c4d2818e9bbfb
SHA256

96bb40eaf29d3619c016a62e397e02761e898f342ab4dfdb52232ceddc13846a
SHA512

75df0198b67109a5443c06e63c9ef145ae343c7519c9e2a4b7a06ddaf880c95a725ba223e2f183d52ee13f70c9a599e2b2ac2bcbc3d0510a4ef11941d7af118c
SSDEEP

6144:zuK8X8DB2w0M4/Pwj33eCWhBZMZ0AO5Z1YS:zgXWB0V/Pwj6LY

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

5.42.95.122:4308

194.87.111.29:4308

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RegSvcs.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RegSvcs.exe'\""	RegSvcs.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

02696699.exe

description pid process target process

PID 1736 set thread context of 1724 1736 02696699.exe RegSvcs.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

868 1736 WerFault.exe 02696699.exe

description	pid	process	target process
PID 1736 set thread context of 1724	1736	02696699.exe	RegSvcs.exe

pid	pid_target	process	target process
868	1736	WerFault.exe	02696699.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

02696699.exe

description	pid	process	target process
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 1724	1736	02696699.exe	RegSvcs.exe
PID 1736 wrote to memory of 868	1736	02696699.exe	WerFault.exe
PID 1736 wrote to memory of 868	1736	02696699.exe	WerFault.exe
PID 1736 wrote to memory of 868	1736	02696699.exe	WerFault.exe
PID 1736 wrote to memory of 868	1736	02696699.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\02696699.exe
"C:\Users\Admin\AppData\Local\Temp\02696699.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
2⤵
- Adds Run key to start application
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1736 -s 48
2⤵
- Program crash
PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-55-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1724-54-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1724-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1724-62-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1724-63-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download