systembc | 05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832

Analysis

max time kernel
299s
max time network
304s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-05-2024 22:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe
Size

2.5MB
MD5

ca3b49582edf9cab4714a35647907f3e
SHA1

e9b265e85b333051d7014a7352747d09634a9fe6
SHA256

05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832
SHA512

83fd5d6bcf85df317a73d8fe89782fbe3541972bd5d187c749681e939024f22536c2ed1c41bfa37b46bd45b20c589e2b997923d8e8e49bb6fc68f58908e34fa9
SSDEEP

49152:aF5alGJpSQXYVCV/EVCLV2Hpaht/rFoeeA6ASh2jQMTREJcI:aF5alGhXJ5EVCsitzFoeeA6jYnPI

Score

10^/10

systembc trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
baxter1

Extracted

Credentials

Protocol: smtp
Host:
smtp.jcom.zaq.ne.jp
Port:
587
Username:
[email protected]
Password:
kana1204

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
cjlb3447

Extracted

Credentials

Protocol: smtp
Host:
smtp.ecogeotorino.it
Port:
587
Username:
[email protected]
Password:
laura2012

Extracted

Credentials

Protocol: smtp
Host:
smtp.ax.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
20090822t

Extracted

Credentials

Protocol: smtp
Host:
smtp.mediacat.ne.jp
Port:
587
Username:
[email protected]
Password:
tcs001080

Extracted

Credentials

Protocol: smtp
Host:
smtp.af.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
julie8823

Extracted

Credentials

Protocol: smtp
Host:
smtp.aw.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
yumiyumi

Extracted

Credentials

Protocol: smtp
Host:
smtp.kk.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
ym2r1007

Extracted

Credentials

Protocol: smtp
Host:
smtp.am.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
etsu2382

Extracted

Credentials

Protocol: smtp
Host:
smtp.farmaciaditullio.it
Port:
587
Username:
[email protected]
Password:
gromit

Extracted

Credentials

Protocol: smtp
Host:
smtp.am.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
you258ko

Extracted

Credentials

Protocol: smtp
Host:
smtp.ah.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
kaduna715

Extracted

Credentials

Protocol: smtp
Host:
smtp.ae.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
yuko0623

Extracted

Credentials

Protocol: smtp
Host:
smtp.az.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
hh5126

Extracted

Credentials

Protocol: smtp
Host:
smtp.an.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
mm6810

Extracted

Credentials

Protocol: smtp
Host:
mail.ai.ayu.ne.jp
Port:
587
Username:
[email protected]
Password:
8p9s4i4qq

Extracted

Credentials

Protocol: smtp
Host:
smtp.coqui.net
Port:
587
Username:
[email protected]
Password:
BAtSy2006

Extracted

Credentials

Protocol: smtp
Host:
smtp.hh.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
yakiniku

Extracted

Credentials

Protocol: smtp
Host:
smtp.ac.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
mackymax

Extracted

Credentials

Protocol: smtp
Host:
smtp.ac.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
miho0229

Extracted

Credentials

Protocol: smtp
Host:
mail.eastcom.ne.jp
Port:
587
Username:
[email protected]
Password:
3021RW112

Extracted

Credentials

Protocol: smtp
Host:
smtp.primehome.com
Port:
587
Username:
[email protected]
Password:
Bencmart41!

Extracted

Credentials

Protocol: smtp
Host:
smtp.ac.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
hf290809

Extracted

Credentials

Protocol: smtp
Host:
smtp.epix.net
Port:
587
Username:
[email protected]
Password:
Jafar14

Extracted

Credentials

Protocol: smtp
Host:
smtp.ak.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
356defhk

Extracted

Credentials

Protocol: smtp
Host:
smtp.cnpadvogados.com.br
Port:
587
Username:
[email protected]
Password:
CNPA2019

Extracted

Credentials

Protocol: smtp
Host:
smtp.ag.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
1qaz1qaz

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.com
Port:
587
Username:
[email protected]
Password:
chance1

Extracted

Credentials

Protocol: smtp
Host:
mw-002.cafe24.com
Port:
587
Username:
[email protected]
Password:
1terat0r

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
aleksandr

Extracted

Credentials

Protocol: smtp
Host:
smtp.ag.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
qzmp01

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Tiger123$

Extracted

Credentials

Protocol: smtp
Host:
smtp.netzero.net
Port:
587
Username:
[email protected]
Password:
Jehovah1

Extracted

Credentials

Protocol: smtp
Host:
smtp.ab.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
msport10

Extracted

Credentials

Protocol: smtp
Host:
mail.limetreeview.co.uk
Port:
587
Username:
[email protected]
Password:
ludomar

Extracted

Credentials

Protocol: smtp
Host:
smtp.coqui.net
Port:
587
Username:
[email protected]
Password:
bATSY2006

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontiernet.net
Port:
587
Username:
[email protected]
Password:
Gypsi1$

Extracted

Credentials

Protocol: smtp
Host:
smtp.nifty.com
Port:
587
Username:
[email protected]
Password:
miya0116

Extracted

Credentials

Protocol: smtp
Host:
smtp.primehome.com
Port:
587
Username:
[email protected]
Password:
pambos99

Extracted

Family

systembc

cobusabobus.cam:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 7 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exesvchsot.execdgun.execdgun.exe

pid process

396 7z.exe
376 7z.exe
4044 7z.exe
2812 7z.exe
4240 svchsot.exe
4788 cdgun.exe
3476 cdgun.exe
Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

pid process

396 7z.exe
376 7z.exe
4044 7z.exe
2812 7z.exe
Drops file in Windows directory 2 IoCs

Processes:

svchsot.exe

description ioc process

File created C:\Windows\Tasks\cdgun.job svchsot.exe
File opened for modification C:\Windows\Tasks\cdgun.job svchsot.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

svchsot.exe

pid process

4240 svchsot.exe
4240 svchsot.exe

pid	process
396	7z.exe
376	7z.exe
4044	7z.exe
2812	7z.exe
4240	svchsot.exe
4788	cdgun.exe
3476	cdgun.exe

pid	process
396	7z.exe
376	7z.exe
4044	7z.exe
2812	7z.exe

description	ioc	process
File created	C:\Windows\Tasks\cdgun.job	svchsot.exe
File opened for modification	C:\Windows\Tasks\cdgun.job	svchsot.exe

pid	process
4240	svchsot.exe
4240	svchsot.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe

description	pid	process
Token: SeRestorePrivilege	396	7z.exe
Token: 35	396	7z.exe
Token: SeSecurityPrivilege	396	7z.exe
Token: SeSecurityPrivilege	396	7z.exe
Token: SeRestorePrivilege	376	7z.exe
Token: 35	376	7z.exe
Token: SeSecurityPrivilege	376	7z.exe
Token: SeSecurityPrivilege	376	7z.exe
Token: SeRestorePrivilege	4044	7z.exe
Token: 35	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeSecurityPrivilege	4044	7z.exe
Token: SeRestorePrivilege	2812	7z.exe
Token: 35	2812	7z.exe
Token: SeSecurityPrivilege	2812	7z.exe
Token: SeSecurityPrivilege	2812	7z.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.execmd.exe

description	pid	process	target process
PID 4892 wrote to memory of 3632	4892	05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe	cmd.exe
PID 4892 wrote to memory of 3632	4892	05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe	cmd.exe
PID 3632 wrote to memory of 652	3632	cmd.exe	mode.com
PID 3632 wrote to memory of 652	3632	cmd.exe	mode.com
PID 3632 wrote to memory of 396	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 396	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 376	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 376	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 4044	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 4044	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 2812	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 2812	3632	cmd.exe	7z.exe
PID 3632 wrote to memory of 4252	3632	cmd.exe	attrib.exe
PID 3632 wrote to memory of 4252	3632	cmd.exe	attrib.exe
PID 3632 wrote to memory of 4240	3632	cmd.exe	svchsot.exe
PID 3632 wrote to memory of 4240	3632	cmd.exe	svchsot.exe
PID 3632 wrote to memory of 4240	3632	cmd.exe	svchsot.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

4252 attrib.exe

pid	process
4252	attrib.exe

C:\Users\Admin\AppData\Local\Temp\05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe
"C:\Users\Admin\AppData\Local\Temp\05f41f450584e2f2a99ffe86ec699b2f1569b1080ffa801ca8b4adf3b6d1c832.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3632
- - C:\Windows\system32\mode.com
    mode 65,10
    3⤵
    PID:652
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e file.zip -p11126109881796147432108526241 -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:396
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_3.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_2.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:4044
- - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
    7z.exe e extracted/file_1.zip -oextracted
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\system32\attrib.exe
    attrib +H "svchsot.exe"
    3⤵
    - Views/modifies file attributes
    PID:4252
- - C:\Users\Admin\AppData\Local\Temp\main\svchsot.exe
    "svchsot.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:4240

C:\ProgramData\iadj\cdgun.exe
C:\ProgramData\iadj\cdgun.exe start2
1⤵
- Executes dropped EXE
PID:4788

C:\ProgramData\iadj\cdgun.exe
C:\ProgramData\iadj\cdgun.exe start2
1⤵
- Executes dropped EXE
PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
98a4638d9c34816d7b9ceca56379ef36

SHA1
734338ab7319cd8c62683b3d94b623290851ffa4

SHA256
7b4ad59c5db9a9b287f0b678ce5d7bfa1e9e11492e08f4d3f9e3d134b920237e

SHA512
b781f51995363e8e715a5e38dee35f73932962ea070ed85ec070ee537e81bfc69a46c8ca36b15d490d4e6bc1db583cd10d944bf0f975959ad4549bd52ccdff93

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
8KB

MD5
87b235104d0b38a943c6344c93c95fce

SHA1
9ebc8c3025c90c655632cba4ae303e49c58d9565

SHA256
98ae32890e4bdd3bb33fa098c63f78638f6949984053d31d187f59dc331ceffd

SHA512
a249a562dcea901b6c030afa82712fc1652e20981bab3187f7ede21930c1f85570d2d2aa03e09fe17303ed52211db752e1119dd22f4671d684fd90451e57dc8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
8KB

MD5
0a0993feaf5f1f5a5784348a4e4093c3

SHA1
6079c00bdcab68054bb0b0e7ff7d0c1b5e8ed22e

SHA256
9dda9848257c29f5c463e46f712025fe61088e80162048b27c6dc840b97d0bbe

SHA512
496e1d474b5643981c570289ba9ede578a9e8c52ce0e476511e745b6bbd11c2ded86911738fa5a38d29a4d080213f2bb0b9a42b5c05c87e34c8d22120a6dc33e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_3.zip

Filesize
1.6MB

MD5
d73b913c2b884a2aa163394ea0d1bb6d

SHA1
144c5bc242b6de11f7caa22887412e54a2c44274

SHA256
c09eeee2d091c2dc32de745e858e538c2a9582479f11bb28702e71a03e86239c

SHA512
322edd1668985b5d3fb51ac35748131b57f8fde6e5094cf2feeef5ed718ae117bdf17dc6b7399025c7af9e3c914d80642fd653af9877e9dc0751d0f7596dd637

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\svchsot.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
1.6MB

MD5
cd52743b77ca507b74a172f952f72e72

SHA1
3d4f09ce7801320a5aec921d06bab5cb7b900ef6

SHA256
5141c540ebc7182c3fd04327710629b7c67aff6681233ed1c016760386b3e493

SHA512
64b3e42f767cd295bf0ee02d2d3189506c51cdf0cc88e31814ddb2895a9d1ff7aae88f0e284a7542d0a514a2dfd71b09e8e1506da964a27c5aa66d11ba994f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
465B

MD5
4333b6c9e2ac1168f592332fb3c26592

SHA1
e98a2bb4edebaa886dabef3181768c5ed7e6b794

SHA256
6a4faa98d6fe1d6a65ea2c162f96daa5974bcb3558ad9d98158d215ffe5de06c

SHA512
1456622035353c2dbe2f902883657cff3da5ea03ff30c460d0e0525cce2b5cc958d3a469c436ff0183f42fb0121ae8c17a3143f14affa62471957e4443e27351

Download Submit