systembc | bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711

General

Target

bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe
Size

662KB
MD5

0dd1f6c2b9bf477115701a1340d8d9a2
SHA1

7b074f54130217609435efe3f45ba38d363dd381
SHA256

bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711
SHA512

a3c8bcc7fe527eb2de6a6dd230bca9b4424653c6e251c1113bc27bd8c42cf79e1be1974e20c733e51be38f2c222ee1338257fd86209f2411f86e5f65213206e6
SSDEEP

12288:GubsNSOetfARQAPyGUu7zNubsNSOetfARQAPyGUfT+tkrvdv:GubsnafAPyjSzNubsnafAPyjZrvh

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

cobusabobus.cam:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 4 IoCs

Processes:

work.exepogflaw.exelpfoeii.exelpfoeii.exe

pid process

2148 work.exe
2576 pogflaw.exe
2500 lpfoeii.exe
1048 lpfoeii.exe
Loads dropped DLL 5 IoCs

Processes:

cmd.exework.exe

pid process

2228 cmd.exe
2148 work.exe
2148 work.exe
2148 work.exe
2148 work.exe
Drops file in Windows directory 2 IoCs

Processes:

pogflaw.exe

description ioc process

File created C:\Windows\Tasks\lpfoeii.job pogflaw.exe
File opened for modification C:\Windows\Tasks\lpfoeii.job pogflaw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

pogflaw.exe

pid process

2576 pogflaw.exe

pid	process
2148	work.exe
2576	pogflaw.exe
2500	lpfoeii.exe
1048	lpfoeii.exe

pid	process
2228	cmd.exe
2148	work.exe
2148	work.exe
2148	work.exe
2148	work.exe

description	ioc	process
File created	C:\Windows\Tasks\lpfoeii.job	pogflaw.exe
File opened for modification	C:\Windows\Tasks\lpfoeii.job	pogflaw.exe

pid	process
2576	pogflaw.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.execmd.exework.exetaskeng.exe

description	pid	process	target process
PID 1300 wrote to memory of 2228	1300	bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe	cmd.exe
PID 1300 wrote to memory of 2228	1300	bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe	cmd.exe
PID 1300 wrote to memory of 2228	1300	bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe	cmd.exe
PID 1300 wrote to memory of 2228	1300	bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe	cmd.exe
PID 2228 wrote to memory of 2148	2228	cmd.exe	work.exe
PID 2228 wrote to memory of 2148	2228	cmd.exe	work.exe
PID 2228 wrote to memory of 2148	2228	cmd.exe	work.exe
PID 2228 wrote to memory of 2148	2228	cmd.exe	work.exe
PID 2148 wrote to memory of 2576	2148	work.exe	pogflaw.exe
PID 2148 wrote to memory of 2576	2148	work.exe	pogflaw.exe
PID 2148 wrote to memory of 2576	2148	work.exe	pogflaw.exe
PID 2148 wrote to memory of 2576	2148	work.exe	pogflaw.exe
PID 2152 wrote to memory of 2500	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 2500	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 2500	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 2500	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 1048	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 1048	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 1048	2152	taskeng.exe	lpfoeii.exe
PID 2152 wrote to memory of 1048	2152	taskeng.exe	lpfoeii.exe

C:\Users\Admin\AppData\Local\Temp\bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe
"C:\Users\Admin\AppData\Local\Temp\bbf284e7e60430e7aa64fa92781ed283fd46883831720b959d8c786a42af7711.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\pogflaw.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\pogflaw.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2576

C:\Windows\system32\taskeng.exe
taskeng.exe {EC6C8A70-DECD-4599-8800-7AA2B403710C} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2152
- C:\ProgramData\wwpr\lpfoeii.exe
  C:\ProgramData\wwpr\lpfoeii.exe start2
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\ProgramData\wwpr\lpfoeii.exe
  C:\ProgramData\wwpr\lpfoeii.exe start2
  2⤵
  - Executes dropped EXE
  PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
335KB

MD5
577cc10d77b4ee44f8613fc7df186048

SHA1
1d188a807f9a7c55f62ccd4820fe8b89fb8d9e8b

SHA256
e871608d80293f723b1f44f465054f8a6528c2b0354435b9360aeb849a29701c

SHA512
6183b03eaeb88e8ea1ef2ccedb65cbd04fc05c028ce8e2f9e0aed6636717e1e7c9994a8fb9cf4ebf36e277618db7f612a2af4557749b1f6ef6c2b115837618fa

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\pogflaw.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit

Analysis

Sharing