systembc | b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0f5e6f32198fa1837b3090b7fd71fbb.exe
Size

4.1MB
MD5

f0f5e6f32198fa1837b3090b7fd71fbb
SHA1

bfece5be6f01f5e44b5637c6d733577d8bb64941
SHA256

b8cdfada8522638a45efdac45fe27eb60b9860222d2486036e12d4a18688445b
SHA512

3af3e8e5ff6cc5dc58859ba3d1f1cc9324d2b41601236749b889f0183f514bbcbe685f62910078db590f795c84fd325656c76ac154485a0a91b26204b4f27acb
SSDEEP

6144:sB5f3YwKrMducTng1RxdBNE8ZOoXzeprQoXwg4kVUm+vL1kXwT/vEVelKh:If3zKrMduNndr3zDepGkVwvhHXEV00

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

91.103.252.89:4317

91.103.252.57:4317

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f0f5e6f32198fa1837b3090b7fd71fbb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows\CurrentVersion\Run	f0f5e6f32198fa1837b3090b7fd71fbb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\socks5 = "powershell.exe -windowstyle hidden -Command \"& 'C:\\Users\\Admin\\AppData\\Local\\Temp\\f0f5e6f32198fa1837b3090b7fd71fbb.exe'\""	f0f5e6f32198fa1837b3090b7fd71fbb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeManageVolumePrivilege 4492 svchost.exe

description	pid	process
Token: SeManageVolumePrivilege	4492	svchost.exe

C:\Users\Admin\AppData\Local\Temp\f0f5e6f32198fa1837b3090b7fd71fbb.exe
"C:\Users\Admin\AppData\Local\Temp\f0f5e6f32198fa1837b3090b7fd71fbb.exe"
1⤵
- Adds Run key to start application
PID:4220

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4492

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm
Filesize
16KB

MD5
e6237a0334aea5ed4ffde61af694af40

SHA1
b73b4ed49e23e12a0499b1ab06c1f35946bd4468

SHA256
0ff9ac655b5bfa2982d69722ed9d34836edba19913915477ea1c4bc4e366d6cb

SHA512
c43d062abf4067bdaa39f3327ea03c98dced2da472fa2bdb7a15886f9173f38189ea30fbeb1c1e5bdd6fc6d4b18abe7017be76e061256d2c6ec10fb5c0dd3d77

Download Submit
memory/4220-133-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/4220-134-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/4220-135-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/4220-136-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/4220-137-0x0000000004680000-0x0000000004A38000-memory.dmp

Filesize
3.7MB

Download
memory/4220-138-0x0000000000400000-0x000000000081F000-memory.dmp

Filesize
4.1MB

Download
memory/4492-187-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-191-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-184-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-185-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-186-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-167-0x0000026F75440000-0x0000026F75450000-memory.dmp

Filesize
64KB

Download
memory/4492-188-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-189-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-190-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-183-0x0000026F7DA20000-0x0000026F7DA21000-memory.dmp

Filesize
4KB

Download
memory/4492-192-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-193-0x0000026F7DA40000-0x0000026F7DA41000-memory.dmp

Filesize
4KB

Download
memory/4492-194-0x0000026F7D670000-0x0000026F7D671000-memory.dmp

Filesize
4KB

Download
memory/4492-195-0x0000026F7D660000-0x0000026F7D661000-memory.dmp

Filesize
4KB

Download
memory/4492-197-0x0000026F7D670000-0x0000026F7D671000-memory.dmp

Filesize
4KB

Download
memory/4492-200-0x0000026F7D660000-0x0000026F7D661000-memory.dmp

Filesize
4KB

Download
memory/4492-203-0x0000026F7D5A0000-0x0000026F7D5A1000-memory.dmp

Filesize
4KB

Download
memory/4492-151-0x0000026F75340000-0x0000026F75350000-memory.dmp

Filesize
64KB

Download
memory/4492-215-0x0000026F7D7A0000-0x0000026F7D7A1000-memory.dmp

Filesize
4KB

Download