systembc | 05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
20-05-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe
Size

2.5MB
MD5

ca3b49582edf9cab4714a35647907f3e
SHA1

e9b265e85b333051d7014a7352747d09634a9fe6
SHA256

05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832
SHA512

83fd5d6bcf85df317a73d8fe89782fbe3541972bd5d187c749681e939024f22536c2ed1c41bfa37b46bd45b20c589e2b997923d8e8e49bb6fc68f58908e34fa9
SSDEEP

49152:aF5alGJpSQXYVCV/EVCLV2Hpaht/rFoeeA6ASh2jQMTREJcI:aF5alGhXJ5EVCsitzFoeeA6jYnPI

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

cobusabobus.cam:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 7 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exesvchsot.exeshfdbxv.exeshfdbxv.exe

pid process

2764 7z.exe
2928 7z.exe
2724 7z.exe
2464 7z.exe
2460 svchsot.exe
2308 shfdbxv.exe
540 shfdbxv.exe
Loads dropped DLL 8 IoCs

Processes:

cmd.exe7z.exe7z.exe7z.exe7z.exe

pid process

2564 cmd.exe
2764 7z.exe
2564 cmd.exe
2928 7z.exe
2564 cmd.exe
2724 7z.exe
2564 cmd.exe
2464 7z.exe
Drops file in Windows directory 2 IoCs

Processes:

svchsot.exe

description ioc process

File created C:\Windows\Tasks\shfdbxv.job svchsot.exe
File opened for modification C:\Windows\Tasks\shfdbxv.job svchsot.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

svchsot.exe

pid process

2460 svchsot.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

svchsot.exe

pid process

2460 svchsot.exe

pid	process
2764	7z.exe
2928	7z.exe
2724	7z.exe
2464	7z.exe
2460	svchsot.exe
2308	shfdbxv.exe
540	shfdbxv.exe

pid	process
2564	cmd.exe
2764	7z.exe
2564	cmd.exe
2928	7z.exe
2564	cmd.exe
2724	7z.exe
2564	cmd.exe
2464	7z.exe

description	ioc	process
File created	C:\Windows\Tasks\shfdbxv.job	svchsot.exe
File opened for modification	C:\Windows\Tasks\shfdbxv.job	svchsot.exe

pid	process
2460	svchsot.exe

pid	process
2460	svchsot.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	2764	7z.exe
Token: 35	2764	7z.exe
Token: SeSecurityPrivilege	2764	7z.exe
Token: SeSecurityPrivilege	2764	7z.exe
Token: SeRestorePrivilege	2928	7z.exe
Token: 35	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeSecurityPrivilege	2928	7z.exe
Token: SeRestorePrivilege	2724	7z.exe
Token: 35	2724	7z.exe
Token: SeSecurityPrivilege	2724	7z.exe
Token: SeSecurityPrivilege	2724	7z.exe
Token: SeRestorePrivilege	2464	7z.exe
Token: 35	2464	7z.exe
Token: SeSecurityPrivilege	2464	7z.exe
Token: SeSecurityPrivilege	2464	7z.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.execmd.exetaskeng.exe

description	pid	process	target process
PID 2068 wrote to memory of 2564	2068	05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe	cmd.exe
PID 2068 wrote to memory of 2564	2068	05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe	cmd.exe
PID 2068 wrote to memory of 2564	2068	05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe	cmd.exe
PID 2068 wrote to memory of 2564	2068	05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe	cmd.exe
PID 2564 wrote to memory of 2652	2564	cmd.exe	mode.com
PID 2564 wrote to memory of 2652	2564	cmd.exe	mode.com
PID 2564 wrote to memory of 2652	2564	cmd.exe	mode.com
PID 2564 wrote to memory of 2764	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2764	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2764	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2928	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2928	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2928	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2724	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2724	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2724	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2464	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2464	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2464	2564	cmd.exe	7z.exe
PID 2564 wrote to memory of 2436	2564	cmd.exe	attrib.exe
PID 2564 wrote to memory of 2436	2564	cmd.exe	attrib.exe
PID 2564 wrote to memory of 2436	2564	cmd.exe	attrib.exe
PID 2564 wrote to memory of 2460	2564	cmd.exe	svchsot.exe
PID 2564 wrote to memory of 2460	2564	cmd.exe	svchsot.exe
PID 2564 wrote to memory of 2460	2564	cmd.exe	svchsot.exe
PID 2564 wrote to memory of 2460	2564	cmd.exe	svchsot.exe
PID 1864 wrote to memory of 2308	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 2308	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 2308	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 2308	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 540	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 540	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 540	1864	taskeng.exe	shfdbxv.exe
PID 1864 wrote to memory of 540	1864	taskeng.exe	shfdbxv.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2436 attrib.exe

pid	process
2436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe
"C:\Users\Admin\AppData\Local\Temp\05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p11126109881796147432108526241 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2464
- - C:\Windows\system32\attrib.exe
    attrib +H "svchsot.exe"
    3⤵
    - Views/modifies file attributes
    PID:2436
- - C:\Users\Admin\AppData\Local\Temp\main\svchsot.exe
    "svchsot.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    PID:2460

C:\Windows\system32\taskeng.exe
taskeng.exe {70768273-4805-428B-8A1E-F65F1E190298} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1864
- C:\ProgramData\aesiw\shfdbxv.exe
  C:\ProgramData\aesiw\shfdbxv.exe start2
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\ProgramData\aesiw\shfdbxv.exe
  C:\ProgramData\aesiw\shfdbxv.exe start2
  2⤵
  - Executes dropped EXE
  PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
98a4638d9c34816d7b9ceca56379ef36

SHA1
734338ab7319cd8c62683b3d94b623290851ffa4

SHA256
7b4ad59c5db9a9b287f0b678ce5d7bfa1e9e11492e08f4d3f9e3d134b920237e

SHA512
b781f51995363e8e715a5e38dee35f73932962ea070ed85ec070ee537e81bfc69a46c8ca36b15d490d4e6bc1db583cd10d944bf0f975959ad4549bd52ccdff93

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
8KB

MD5
87b235104d0b38a943c6344c93c95fce

SHA1
9ebc8c3025c90c655632cba4ae303e49c58d9565

SHA256
98ae32890e4bdd3bb33fa098c63f78638f6949984053d31d187f59dc331ceffd

SHA512
a249a562dcea901b6c030afa82712fc1652e20981bab3187f7ede21930c1f85570d2d2aa03e09fe17303ed52211db752e1119dd22f4671d684fd90451e57dc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
8KB

MD5
0a0993feaf5f1f5a5784348a4e4093c3

SHA1
6079c00bdcab68054bb0b0e7ff7d0c1b5e8ed22e

SHA256
9dda9848257c29f5c463e46f712025fe61088e80162048b27c6dc840b97d0bbe

SHA512
496e1d474b5643981c570289ba9ede578a9e8c52ce0e476511e745b6bbd11c2ded86911738fa5a38d29a4d080213f2bb0b9a42b5c05c87e34c8d22120a6dc33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
1.6MB

MD5
d73b913c2b884a2aa163394ea0d1bb6d

SHA1
144c5bc242b6de11f7caa22887412e54a2c44274

SHA256
c09eeee2d091c2dc32de745e858e538c2a9582479f11bb28702e71a03e86239c

SHA512
322edd1668985b5d3fb51ac35748131b57f8fde6e5094cf2feeef5ed718ae117bdf17dc6b7399025c7af9e3c914d80642fd653af9877e9dc0751d0f7596dd637

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
cd52743b77ca507b74a172f952f72e72

SHA1
3d4f09ce7801320a5aec921d06bab5cb7b900ef6

SHA256
5141c540ebc7182c3fd04327710629b7c67aff6681233ed1c016760386b3e493

SHA512
64b3e42f767cd295bf0ee02d2d3189506c51cdf0cc88e31814ddb2895a9d1ff7aae88f0e284a7542d0a514a2dfd71b09e8e1506da964a27c5aa66d11ba994f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
465B

MD5
4333b6c9e2ac1168f592332fb3c26592

SHA1
e98a2bb4edebaa886dabef3181768c5ed7e6b794

SHA256
6a4faa98d6fe1d6a65ea2c162f96daa5974bcb3558ad9d98158d215ffe5de06c

SHA512
1456622035353c2dbe2f902883657cff3da5ea03ff30c460d0e0525cce2b5cc958d3a469c436ff0183f42fb0121ae8c17a3143f14affa62471957e4443e27351

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\svchsot.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit