systembc | 728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda

Analysis

max time kernel
298s
max time network
301s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
20-07-2023 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe
Size

4.8MB
MD5

a5fa62f8cb515e6aafc529b34671c6a7
SHA1

09ba2232776cdb5c41349fd50a8ddf5883fbfb85
SHA256

728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda
SHA512

0ecb161bab04660bbfcd75d01ea348a6abae3b12a5c1db42b0ee9a7a931cac1d6c931ea2db4a5dccdeb2dee39d9ba907b3e04df72b4dd79319ff818825140682
SSDEEP

12288:TeC3CZ/dn53l3lYZDGR2vK/BY3nLkpVpnG6kzv:i+m33l3lYZE2C/zG5

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

91.103.252.89:4317

91.103.252.57:4317

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

vcsdpii.exe

pid process

4372 vcsdpii.exe

pid	process
4372	vcsdpii.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run	728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3229013990-3330391637-2814184332-1000\Software\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe'\""	728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe

Drops file in Windows directory 1 IoCs

Processes:

728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe

description ioc process

File created C:\Windows\Tasks\idmuarbsowhxlemajbk.job 728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe

description	ioc	process
File created	C:\Windows\Tasks\idmuarbsowhxlemajbk.job	728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe

C:\Users\Admin\AppData\Local\Temp\728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe
"C:\Users\Admin\AppData\Local\Temp\728c034592a639712e51321596f4dd3c24da68fa649ffb334e12bfb48018ecda.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:2832

C:\Users\Admin\AppData\Local\Temp\vcsdpii.exe
C:\Users\Admin\AppData\Local\Temp\vcsdpii.exe
1⤵
- Executes dropped EXE
PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\vcsdpii.exe

Filesize
4.8MB

MD5
d9f78b1385f35795a40b10a1011a1804

SHA1
fc7d45d97c0a38e89348dfcb64dfcf9400a88be8

SHA256
11b3386e84e32efedf037314dbf1f5e3378ff601695fb49adc71439aec576924

SHA512
d091bfe76303454f118d690f7a681056a05ed62de1723aa497e4b3a87321960314aafade014e0ff9334683143bd6d8607a6e1949315cbbc884e17f36a005d436

Download Submit
C:\Users\Admin\AppData\Local\Temp\vcsdpii.exe

Filesize
4.8MB

MD5
d9f78b1385f35795a40b10a1011a1804

SHA1
fc7d45d97c0a38e89348dfcb64dfcf9400a88be8

SHA256
11b3386e84e32efedf037314dbf1f5e3378ff601695fb49adc71439aec576924

SHA512
d091bfe76303454f118d690f7a681056a05ed62de1723aa497e4b3a87321960314aafade014e0ff9334683143bd6d8607a6e1949315cbbc884e17f36a005d436

Download Submit
memory/2832-117-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2832-118-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/2832-119-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2832-120-0x00000000044A0000-0x00000000048E9000-memory.dmp

Filesize
4.3MB

Download
memory/2832-121-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/4372-145-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4372-147-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download
memory/4372-148-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/4372-150-0x0000000000400000-0x00000000008D6000-memory.dmp

Filesize
4.8MB

Download