systembc | 8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92

Analysis

max time kernel
294s
max time network
298s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
20-07-2023 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe
Size

4.8MB
MD5

0b4e2d65448cb900ec1d64ea564de052
SHA1

d1348e11bf46327def51ff5c892894f9cb66e501
SHA256

8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92
SHA512

ead754d3337b40f7fd2d5820e888112d37824523b2000f847ef805ae9fc1a519c11fbd7f8c5a108b6275479d78ac21ae7a517a79456e0f9ce9b22713deda5d46
SSDEEP

12288:TeC3CZ/dn53l3lYZDGR2vK/BY3nLkpVpnG6kzD:i+m33l3lYZE2C/zG5

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

91.103.252.89:4317

91.103.252.57:4317

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

omluf.exe

pid process

2292 omluf.exe

pid	process
2292	omluf.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run	8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1024678951-1535676557-2778719785-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe'\""	8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe

Drops file in Windows directory 1 IoCs

Processes:

8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe

description ioc process

File created C:\Windows\Tasks\bjjudjpwelrxhmsbhnu.job 8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe

description	ioc	process
File created	C:\Windows\Tasks\bjjudjpwelrxhmsbhnu.job	8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2708 wrote to memory of 2292	2708	taskeng.exe	omluf.exe
PID 2708 wrote to memory of 2292	2708	taskeng.exe	omluf.exe
PID 2708 wrote to memory of 2292	2708	taskeng.exe	omluf.exe
PID 2708 wrote to memory of 2292	2708	taskeng.exe	omluf.exe

C:\Users\Admin\AppData\Local\Temp\8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe
"C:\Users\Admin\AppData\Local\Temp\8b399f768287de13f64a468c4b57e19f5867d29b9e8906d070844b430166ea92.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:2256

C:\Windows\system32\taskeng.exe
taskeng.exe {1AD7E9CE-10BF-4A52-8820-FBC62373B7FB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\omluf.exe
C:\Users\Admin\AppData\Local\Temp\omluf.exe
2⤵
- Executes dropped EXE
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\omluf.exe
Filesize
4.8MB

MD5
e2ec8ec54563605f55250a2240333a0d

SHA1
20b25702b9a699cf0ed75d5c1e1c81da5ba641bf

SHA256
48329b1fbc1d5c5ff5ecb32c7bc3cb74cc68c28a8b65703687d8cd729140f963

SHA512
7a9ceb9c69d621b8341d04e8963119ac80f266d5f86b438404ae9ba1b20267524f15fcb79fea285b1505d9d5cb7bb291cba28942a4d7e98076830ce13ff48228

Download Submit
C:\Users\Admin\AppData\Local\Temp\omluf.exe
Filesize
4.8MB

MD5
e2ec8ec54563605f55250a2240333a0d

SHA1
20b25702b9a699cf0ed75d5c1e1c81da5ba641bf

SHA256
48329b1fbc1d5c5ff5ecb32c7bc3cb74cc68c28a8b65703687d8cd729140f963

SHA512
7a9ceb9c69d621b8341d04e8963119ac80f266d5f86b438404ae9ba1b20267524f15fcb79fea285b1505d9d5cb7bb291cba28942a4d7e98076830ce13ff48228

Download Submit
memory/2256-54-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2256-55-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2256-56-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2256-58-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2256-57-0x0000000003420000-0x0000000003869000-memory.dmp

Filesize
4.3MB

Download
memory/2292-84-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2292-87-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2292-86-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2292-88-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download