systembc | 240ff64b312acf203a1498a58801bf79ad99617e7dbf961c6a289531d1b7b39b

Analysis

max time kernel
140s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2023 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e66dec71ef0ffbb33127f41b8ab1fe3e.dll
Size

1.5MB
MD5

e66dec71ef0ffbb33127f41b8ab1fe3e
SHA1

719e12ef09b6e3ab747421946a57739a649cf483
SHA256

240ff64b312acf203a1498a58801bf79ad99617e7dbf961c6a289531d1b7b39b
SHA512

1ba9a2f4bc6552339078762acd52b59d2ed3798d49b6b5bf0615f3caa6a315103f3166e8941b94f6d5a01e06dfdd38363e1e6d1091fe046e1697589e57a79959
SSDEEP

24576:7UA0Aa/NF9BpvbxxQO/Wh5ChSNF3PWjdCXpKO7Yq8EMHOS8NdOBG7QTOTzgZrkQ3:10xlbBpvHb/Wh5Xv3OjdKKOj8ErRNdu1

Score

10^/10

systembc evasion themida trojan

Malware Config

Extracted

Family

systembc

5.42.65.67:4298

localhost.exchange:4298

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

16 5068 rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe

flow	pid	process
16	5068	rundll32.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/5068-133-0x00007FF8163A0000-0x00007FF8168D2000-memory.dmp	themida
behavioral2/memory/5068-134-0x00007FF8163A0000-0x00007FF8168D2000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

rundll32.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

5068 rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

pid	process
5068	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e66dec71ef0ffbb33127f41b8ab1fe3e.dll,#1
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Blocklisted process makes network request
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:5068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5068-133-0x00007FF8163A0000-0x00007FF8168D2000-memory.dmp

Filesize
5.2MB

Download
memory/5068-134-0x00007FF8163A0000-0x00007FF8168D2000-memory.dmp

Filesize
5.2MB

Download