systembc | 2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2023 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

2.4MB
MD5

82cf051811579ee4f1d9978af52f12db
SHA1

34122975ea9238001cb644955a1474f4d33f9e7b
SHA256

2227d5b2e2782a03bdb847a8ebf9ea40cc2c9f10f48385154c66ded1577b1deb
SHA512

1eb2df40b3e98a0289b2ccd51d0d0861c9e967220b745643210ecdda63e2aeebaf5940b2d0a319dd0ffc6754238aa0a897ee261d06528c645740082a07de3b73
SSDEEP

49152:M32RUvjn/TCGDQiMDpU/Sb8HDWSrbmnidPtrmEKhPlGRr4g0aQ7svt/:nyn/+GDhOcSb8HDhrK8rtGlGRr4+

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

ar.undata.cc:5320

ar1.undata.cc:5320

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

tmp.exe

description pid process target process

PID 3508 created 3244 3508 tmp.exe Explorer.EXE
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ICQ.exe

pid process

4996 ICQ.exe
Loads dropped DLL 12 IoCs

Processes:

ICQ.exe

pid process

4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
4996 ICQ.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ICQ.exe

description pid process target process

PID 4996 set thread context of 3620 4996 ICQ.exe cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

tmp.exeICQ.execmd.exe

pid process

3508 tmp.exe
3508 tmp.exe
4996 ICQ.exe
3620 cmd.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

ICQ.execmd.exe

pid process

4996 ICQ.exe
3620 cmd.exe

description	pid	process	target process
PID 3508 created 3244	3508	tmp.exe	Explorer.EXE

pid	process
4996	ICQ.exe

pid	process
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe
4996	ICQ.exe

description	pid	process	target process
PID 4996 set thread context of 3620	4996	ICQ.exe	cmd.exe

pid	process
3508	tmp.exe
3508	tmp.exe
4996	ICQ.exe
3620	cmd.exe

pid	process
4996	ICQ.exe
3620	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exeICQ.execmd.exe

description	pid	process	target process
PID 3508 wrote to memory of 4996	3508	tmp.exe	ICQ.exe
PID 3508 wrote to memory of 4996	3508	tmp.exe	ICQ.exe
PID 3508 wrote to memory of 4996	3508	tmp.exe	ICQ.exe
PID 4996 wrote to memory of 3620	4996	ICQ.exe	cmd.exe
PID 4996 wrote to memory of 3620	4996	ICQ.exe	cmd.exe
PID 4996 wrote to memory of 3620	4996	ICQ.exe	cmd.exe
PID 4996 wrote to memory of 3620	4996	ICQ.exe	cmd.exe
PID 3620 wrote to memory of 1008	3620	cmd.exe	explorer.exe
PID 3620 wrote to memory of 1008	3620	cmd.exe	explorer.exe
PID 3620 wrote to memory of 1008	3620	cmd.exe	explorer.exe
PID 3620 wrote to memory of 1008	3620	cmd.exe	explorer.exe
PID 3620 wrote to memory of 1008	3620	cmd.exe	explorer.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508

C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
"C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4996

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3620

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
4⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\198b2a3a
Filesize
436KB

MD5
613c2638da333b4727b2891f5c0298f8

SHA1
bac62df1670ccaa3455707929238d09f3e592d82

SHA256
f5cdf0fba6ac3ddd64a2957539272817b3aad6aef454cf353a47866bf14f88e3

SHA512
f3e2db45332eb29ed45cfcfb1a9ee54e258cd0f8167958d72fb1779319296384db4cddfc9e83ea5903847c0d562482b8d60fbbbfee603aae9456e742b6e4feb5

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
Filesize
168KB

MD5
aef6452711538d9021f929a2a5f633cf

SHA1
205b7fab75e77d1ff123991489462d39128e03f6

SHA256
e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

SHA512
7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\ICQ.exe
Filesize
168KB

MD5
aef6452711538d9021f929a2a5f633cf

SHA1
205b7fab75e77d1ff123991489462d39128e03f6

SHA256
e611a1ffbe9e08a2660bc290a581aa0b54637524aaf6040a70e54f97136ce5ac

SHA512
7ad84d4d3bab3f5a3e14f336d8931bf4b876299000081b2a94a3fcf698c56b82514753b483c5b8d7ae84ddd92ee1c4043fa5e7fb7c4f7e9eb52ca8c794e508b7

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll
Filesize
106KB

MD5
815b07c37c83b13457d37ca8c6a7a561

SHA1
746138b85e5611fd058c008411889a15870083cd

SHA256
153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

SHA512
8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MCoreLib.dll
Filesize
106KB

MD5
815b07c37c83b13457d37ca8c6a7a561

SHA1
746138b85e5611fd058c008411889a15870083cd

SHA256
153c1b5e96e7bc4c9f858c3cc3bc6cd5e09ef68776d95871ca38824c430654c4

SHA512
8949ab1deae036ae785ad20c634519aa368b4768f0dd65c0dc53f8ea70dd7d707c984277b914de14054eb8a044182ff78205e3a02555e377750bb829760b8c31

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MDb.dll
Filesize
205KB

MD5
be1262b27ff4a4349b337cc95b7746e7

SHA1
a88b9a167baedbaef047b862caecb8206548c2f6

SHA256
ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

SHA512
d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MDb.dll
Filesize
205KB

MD5
be1262b27ff4a4349b337cc95b7746e7

SHA1
a88b9a167baedbaef047b862caecb8206548c2f6

SHA256
ab47f3a52c1c2a7f1855c48e2d085e87345590b1fb78353c7070c3b6600843fd

SHA512
d70a9f1113b2b11ff5df3644b97d13cfe1deee1def13e751eabd8e84858e4ae6eb58d45926a1443cafbb7a261bcb61285b4c316014b43c6c6971f7261e13bb96

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll
Filesize
219KB

MD5
ab9ee0529bab6495e65bf7d25c2476a2

SHA1
4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f

SHA256
4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9

SHA512
05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MKernel.dll
Filesize
219KB

MD5
ab9ee0529bab6495e65bf7d25c2476a2

SHA1
4438dc373b04cbab0320ccdf3ec5da8fb85f5f4f

SHA256
4f3e310c5b4fe873a91b19db66e2c1b69a30b4bf7362570d6b1d7d5105a4b0a9

SHA512
05f4018f370ac18e32ab2c2642430154b5050948b12f0822024c960ffed94dc65469c22f01d67d0948fc1aa3eea16d3f0b47569275e87aacd934b74e83e2e7b4

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MSVCP71.dll
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MSVCR71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
Filesize
824KB

MD5
60a5383ba17d8f519cb4356e28873a14

SHA1
6bf70393d957320a921226c7fcdf352a0a67442d

SHA256
80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

SHA512
a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
Filesize
824KB

MD5
60a5383ba17d8f519cb4356e28873a14

SHA1
6bf70393d957320a921226c7fcdf352a0a67442d

SHA256
80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

SHA512
a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUICoreLib.dll
Filesize
824KB

MD5
60a5383ba17d8f519cb4356e28873a14

SHA1
6bf70393d957320a921226c7fcdf352a0a67442d

SHA256
80878e4543959b63cbd87e3ebb82f4988cbbdf9da564370aa15410783c5f343f

SHA512
a0e0ef1d821e13977d14a806357128285edc0a26c01dcf9fd99e7c62f8efccdf608b1c0dceb1f3f40e988692eb549e22193d9ce253a1c0c1d8b10c46955bee12

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
Filesize
385KB

MD5
97d6efb8b8e0b0f03701a7bafc398545

SHA1
0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

SHA256
51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

SHA512
2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
Filesize
385KB

MD5
97d6efb8b8e0b0f03701a7bafc398545

SHA1
0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

SHA256
51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

SHA512
2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUIUtils.dll
Filesize
385KB

MD5
97d6efb8b8e0b0f03701a7bafc398545

SHA1
0fe11e0b7f47fdec9aaa98b83728c125409e9d5b

SHA256
51c8715fac6797b7f962a68903f1f994c2af1088ac31972b5e512dab5ab4fd8e

SHA512
2bf8935ad96f35586be6074e8798fa36ee13a05cef05aa0df120ef6800cc1d941310c672894d2380b87c7491663c137fa5bcade4a732bcc6448ba3bf0badb2d7

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
Filesize
619KB

MD5
6da9a492898b66db78f5c9d3fc7ecc64

SHA1
d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

SHA256
50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

SHA512
11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\MUtils.dll
Filesize
619KB

MD5
6da9a492898b66db78f5c9d3fc7ecc64

SHA1
d264f67d92ccd4cfeaed1510ed0b6ae90d3f7db4

SHA256
50dfc607913a47dd266e27f6533f3f6b8f9fe995582f7662a944149a26b5054c

SHA512
11bc138d16f279d70ece09e3d238ce891bc5015b6d49a750e153c2b9286bf95e285e818ed5e25e7c731cdfff1324cdb74155f68fda0ef8104eb0d554e2b2923e

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
Filesize
764KB

MD5
4f27d1bacaf09d1919484355b341c868

SHA1
f1be78d484235270a1416c6acb20e2915ae050db

SHA256
12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

SHA512
328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\coolcore49.dll
Filesize
764KB

MD5
4f27d1bacaf09d1919484355b341c868

SHA1
f1be78d484235270a1416c6acb20e2915ae050db

SHA256
12cddd3c62ff777f1738226fe0b4b36c8170e5e1c0c47fb5913f1a780dc5f450

SHA512
328277fe18d2bbc11160d0c239c90e94d2689b8dbefb6fe46febb730fbcc6e18ced429f839d7a81d8e1b42fe4c1cb4afaaa5745353daf271ac21984f5c67aced

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\msvcp71.dll
Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\msvcr71.dll
Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\shallop.wmv
Filesize
312KB

MD5
983058d5482f9477c6b4fe17faef85db

SHA1
00d43c0588c8c88c9076b911d65d94d0b0913b69

SHA256
d3b79dee1b597a1901e7c7721b8019b79e555495d234056a85bbf0d7b1fc83a2

SHA512
d8a5589c890faf88dfac93c3f1d4818a6d20db5bd7830366c49247ec20426605c4c4b868eca4e0729a01f56dce3c87bfbe379d2c50f9bf5ffef3afcc50f8163a

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll
Filesize
244KB

MD5
d145903e217ddde20ce32ed9e5074e16

SHA1
bdb3265d872f446d7445aae4f2d0beba5dae3bd8

SHA256
9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

SHA512
00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

Download Submit
C:\Users\Admin\AppData\Roaming\activeds\xprt6.dll
Filesize
244KB

MD5
d145903e217ddde20ce32ed9e5074e16

SHA1
bdb3265d872f446d7445aae4f2d0beba5dae3bd8

SHA256
9317971d3615415691420d06b06de89b67aea164877b74e308bb9c338ca0eca4

SHA512
00e7df32ab3c8a46b4e8761634ddeac28410f46a9312923f46b1d83376d69489653763661f2c51ac9f85028a11d8496c911eabcb55a19222caf311be61504666

Download Submit
memory/1008-183-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1008-184-0x00007FF8E4010000-0x00007FF8E4205000-memory.dmp

Filesize
2.0MB

Download
memory/1008-185-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1008-186-0x0000000000100000-0x0000000000533000-memory.dmp

Filesize
4.2MB

Download
memory/1008-187-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/1008-189-0x0000000000E20000-0x0000000000E28000-memory.dmp

Filesize
32KB

Download
memory/3508-134-0x0000000074D90000-0x0000000075021000-memory.dmp

Filesize
2.6MB

Download
memory/3620-179-0x00000000744B0000-0x0000000075704000-memory.dmp

Filesize
18.3MB

Download
memory/3620-181-0x00007FF8E4010000-0x00007FF8E4205000-memory.dmp

Filesize
2.0MB

Download
memory/4996-174-0x0000000000610000-0x00000000006E1000-memory.dmp

Filesize
836KB

Download
memory/4996-171-0x0000000000540000-0x00000000005A3000-memory.dmp

Filesize
396KB

Download
memory/4996-177-0x00000000744B0000-0x0000000075704000-memory.dmp

Filesize
18.3MB

Download