systembc | 204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434

Analysis

max time kernel
141s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe
Size

164KB
MD5

5e11dd2bc2627a60f664e37c36e735a7
SHA1

550d348ea3f28ba8a0e67675775e26de282fc51f
SHA256

204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434
SHA512

5eef7950796c878b368871463cab0f79899b13b0649c38ee36b6630b55ab15b04b5859e833285965fd394eaab846eb09773733529f02b8f2606c1e59f7afe8fe
SSDEEP

3072:ZKLBjs/w8UiFBS8VX6tfnVFIDeErAeAmE7J0T84UdX5Awy:8LBA/SiLRVX4Inm5cF

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

adstat477d.xyz:4044

demstat577d.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\Software\Microsoft\Windows\CurrentVersion\Run	204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1043950675-1972537973-2972532878-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe'\""	204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe

C:\Users\Admin\AppData\Local\Temp\204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe
"C:\Users\Admin\AppData\Local\Temp\204e68df323cbcabdd60a878fa5444df2ddd1fbaa8411d6350649e4a2e233434.exe"
1⤵
- Adds Run key to start application
PID:4820

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4820-134-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/4820-135-0x00000000005C0000-0x00000000005C5000-memory.dmp

Filesize
20KB

Download
memory/4820-136-0x0000000000400000-0x00000000004E3000-memory.dmp

Filesize
908KB

Download
memory/4820-138-0x0000000000620000-0x0000000000720000-memory.dmp

Filesize
1024KB

Download
memory/4820-139-0x00000000005C0000-0x00000000005C5000-memory.dmp

Filesize
20KB

Download