systembc | 306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c

Analysis

max time kernel
257s
max time network
288s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-05-2024 22:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
Size

667KB
MD5

e953d58e12762f7283bf62ad9f214dbb
SHA1

e2915c5f414312a3fdc7e5f353de3d3d15cd6a22
SHA256

306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c
SHA512

993f5859da479952cb66fd2f286d3843092a1a7393a66b97ff174178d303d864ba8e10c459a2e68f8b28b0eb9f4ecefc90ac25e251febff21f033ec8aaab8004
SSDEEP

6144:tM0RkR33Bj+4jZr3iXlmGNa/LULvJ5+4weYmKNtgeAUBMmihN:tM0uRvVSVmGULqvJGe32/tk

Score

10^/10

systembc persistence trojan

Malware Config

Extracted

Family

systembc

212.162.153.199:4382

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 3 IoCs

pid	Process
32	svshost.exe.exe
3888	svshost.exe.exe
3680	svshost.exe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\scshost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\svshost.exe.exe"	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 32 set thread context of 3680	32	svshost.exe.exe	83

Runs ping.exe 1 TTPs 3 IoCs

Remote System Discovery

T1018

pid	Process
4148	PING.EXE
3112	PING.EXE
5068	PING.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
32	svshost.exe.exe
32	svshost.exe.exe
32	svshost.exe.exe
32	svshost.exe.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
Token: SeDebugPrivilege	32	svshost.exe.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4444	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe	73
PID 4440 wrote to memory of 4444	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe	73
PID 4440 wrote to memory of 4444	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe	73
PID 4444 wrote to memory of 4148	4444	cmd.exe	75
PID 4444 wrote to memory of 4148	4444	cmd.exe	75
PID 4444 wrote to memory of 4148	4444	cmd.exe	75
PID 4440 wrote to memory of 4356	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe	76
PID 4440 wrote to memory of 4356	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe	76
PID 4440 wrote to memory of 4356	4440	306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe	76
PID 4356 wrote to memory of 3112	4356	cmd.exe	78
PID 4356 wrote to memory of 3112	4356	cmd.exe	78
PID 4356 wrote to memory of 3112	4356	cmd.exe	78
PID 4444 wrote to memory of 3084	4444	cmd.exe	79
PID 4444 wrote to memory of 3084	4444	cmd.exe	79
PID 4444 wrote to memory of 3084	4444	cmd.exe	79
PID 4356 wrote to memory of 5068	4356	cmd.exe	80
PID 4356 wrote to memory of 5068	4356	cmd.exe	80
PID 4356 wrote to memory of 5068	4356	cmd.exe	80
PID 4356 wrote to memory of 32	4356	cmd.exe	81
PID 4356 wrote to memory of 32	4356	cmd.exe	81
PID 4356 wrote to memory of 32	4356	cmd.exe	81
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3888	32	svshost.exe.exe	82
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83
PID 32 wrote to memory of 3680	32	svshost.exe.exe	83

C:\Users\Admin\AppData\Local\Temp\306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe
"C:\Users\Admin\AppData\Local\Temp\306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 10 > nul && REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "scshost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 10
    3⤵
    - Runs ping.exe
    PID:4148
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "scshost" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe"
    3⤵
    - Adds Run key to start application
    PID:3084
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c ping 127.0.0.1 -n 14 > nul && copy "C:\Users\Admin\AppData\Local\Temp\306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe" && ping 127.0.0.1 -n 14 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4356
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 14
    3⤵
    - Runs ping.exe
    PID:3112
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 14
    3⤵
    - Runs ping.exe
    PID:5068
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe"
      4⤵
      Executes dropped EXE
      PID:3888
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe"
      4⤵
      Executes dropped EXE
      PID:3680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svshost.exe.exe

Filesize
667KB

MD5
e953d58e12762f7283bf62ad9f214dbb

SHA1
e2915c5f414312a3fdc7e5f353de3d3d15cd6a22

SHA256
306cc027d7a227d3fcf353f47eea9292c400dfae4063cfdb5b85a37c5978d79c

SHA512
993f5859da479952cb66fd2f286d3843092a1a7393a66b97ff174178d303d864ba8e10c459a2e68f8b28b0eb9f4ecefc90ac25e251febff21f033ec8aaab8004

Download Submit
memory/32-18-0x0000000009DA0000-0x0000000009DA6000-memory.dmp

Filesize
24KB

Download
memory/32-17-0x0000000007740000-0x000000000775A000-memory.dmp

Filesize
104KB

Download
memory/32-16-0x0000000000EB0000-0x0000000000F5E000-memory.dmp

Filesize
696KB

Download
memory/3680-23-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/3680-20-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4440-3-0x0000000005320000-0x000000000581E000-memory.dmp

Filesize
5.0MB

Download
memory/4440-7-0x0000000006020000-0x000000000602A000-memory.dmp

Filesize
40KB

Download
memory/4440-8-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/4440-10-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/4440-6-0x0000000006140000-0x0000000006184000-memory.dmp

Filesize
272KB

Download
memory/4440-5-0x0000000073F80000-0x000000007466E000-memory.dmp

Filesize
6.9MB

Download
memory/4440-0-0x0000000073F8E000-0x0000000073F8F000-memory.dmp

Filesize
4KB

Download
memory/4440-4-0x0000000004EC0000-0x0000000004F52000-memory.dmp

Filesize
584KB

Download
memory/4440-2-0x0000000004D80000-0x0000000004E1C000-memory.dmp

Filesize
624KB

Download
memory/4440-1-0x0000000000B90000-0x0000000000C3E000-memory.dmp

Filesize
696KB

Download