systembc | e213bfb7d5b88a2271f0967ff6ce96aeaa1d826fd12d980f35f3ff1119391ac8

General

Target

4cd796d40813059763ce0e329f97aaa2.exe
Size

1.7MB
MD5

4cd796d40813059763ce0e329f97aaa2
SHA1

e7c982c1d11145379c325c75272d37548a1fab07
SHA256

e213bfb7d5b88a2271f0967ff6ce96aeaa1d826fd12d980f35f3ff1119391ac8
SHA512

09f7e0f69ab629f0a2f408aca64d32c890ec9d7ff5bb856b19fd9dfe2f857f234ec17ca46d1d1f08a6e25b9f66c5076e94b94703f019933650ec9a71a328d69b
SSDEEP

24576:GubsnafAPyjSzIubsnafAPyjZrixzFa3VYeYDi8LzxQevGpDxCENQs3qkMfgWahN:YI4+I1ua3yHiKdhvGpDxes3Sfg7L

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

67.211.218.147:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	work.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation	4cd796d40813059763ce0e329f97aaa2.exe

Executes dropped EXE 4 IoCs

pid	Process
844	work.exe
5004	ogkdraw.exe
4308	rgth.exe
1640	rgth.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 19 IoCs

pid	Process
5004	ogkdraw.exe
5004	ogkdraw.exe
4308	rgth.exe
4308	rgth.exe
5004	ogkdraw.exe
4308	rgth.exe
5004	ogkdraw.exe
4308	rgth.exe
5004	ogkdraw.exe
4308	rgth.exe
5004	ogkdraw.exe
4308	rgth.exe
5004	ogkdraw.exe
4308	rgth.exe
5004	ogkdraw.exe
1640	rgth.exe
1640	rgth.exe
1640	rgth.exe
1640	rgth.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rgth.job	ogkdraw.exe
File opened for modification	C:\Windows\Tasks\rgth.job	ogkdraw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5004	ogkdraw.exe
5004	ogkdraw.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5004	ogkdraw.exe
4308	rgth.exe
1640	rgth.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 4544	2876	4cd796d40813059763ce0e329f97aaa2.exe	85
PID 2876 wrote to memory of 4544	2876	4cd796d40813059763ce0e329f97aaa2.exe	85
PID 2876 wrote to memory of 4544	2876	4cd796d40813059763ce0e329f97aaa2.exe	85
PID 4544 wrote to memory of 844	4544	cmd.exe	88
PID 4544 wrote to memory of 844	4544	cmd.exe	88
PID 4544 wrote to memory of 844	4544	cmd.exe	88
PID 844 wrote to memory of 5004	844	work.exe	90
PID 844 wrote to memory of 5004	844	work.exe	90
PID 844 wrote to memory of 5004	844	work.exe	90

C:\Users\Admin\AppData\Local\Temp\4cd796d40813059763ce0e329f97aaa2.exe
"C:\Users\Admin\AppData\Local\Temp\4cd796d40813059763ce0e329f97aaa2.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4544
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:844
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\ogkdraw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ogkdraw.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:5004

C:\ProgramData\pbmw\rgth.exe
C:\ProgramData\pbmw\rgth.exe start2
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4308

C:\ProgramData\pbmw\rgth.exe
C:\ProgramData\pbmw\rgth.exe start2
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
1.4MB

MD5
130a355e9839499e1767866e054f3085

SHA1
515f7b83cb9904ff56a6f78984d4b88b0143ea19

SHA256
8ff0e9a4b42d001e8040be325f58e48734643e45a11b667587c6d3a4e4fabb8f

SHA512
0f3f784464beae138c7ca69948854f95c6d2a36e565e5a177ba615012fa1cb98ba7190e60d32d3f396d8ea2461d6334696c5c59447bbf3438101e2f132e3b592

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ogkdraw.exe

Filesize
1.1MB

MD5
d154a07332d28a9bafd5c195905cd5d1

SHA1
21def1f4997fa810d4634b88f71fc7a15cfe636b

SHA256
73be3166d9afd30d63a667a6f956be3670cd6e704605d94ee6db031d9b852f78

SHA512
9489d9e984c0da80c3051eb61fbd0a48a95fc5f18a5b0930b4963197aef0d99b425369812f56b9c60ad30ca4dcac9283c6cdcd4e85031975b8b536a1633f20bc

Download Submit
memory/1640-45-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/1640-44-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/1640-43-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/1640-42-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-36-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-40-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-26-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-30-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-32-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-28-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/4308-34-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-35-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-33-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-38-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-31-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-27-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-29-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-24-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download
memory/5004-19-0x0000000000400000-0x0000000000769000-memory.dmp

Filesize
3.4MB

Download

Analysis

Sharing