systembc | 4808197da288d4774ff43b0ef6603c7fd03eaa5f15018fd6e919f13e1b4445ec

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 13:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dsfpk.exe
Size

1019KB
MD5

a2db8a666e3c03f04aafd86aa68a0ed1
SHA1

03c31e7c1e3156fdced6cf7345a21c06db1836dc
SHA256

9a3d939bbe9de696c16e62809944be0258ca11c2117381fdc0b5fa1986606191
SHA512

5ffff2f496d2a581d58e87b3a22b076d6ec0b8389f6cacc737c1cd9386ce33cbd873284226d665f4856aa08d5dfde322c3f4bf18254d47ba8b0cbb1e0165c2bf
SSDEEP

24576:6vCnHLe19bQ8JbpTFd0vcLSG7FuEw2C2:6vUrWWalT7nSG

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3736 created 3524	3736	Dsfpk.exe	56
PID 4112 created 3524	4112	qikfx.exe	56
PID 3792 created 3524	3792	qikfx.exe	56

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dnsserv.vbs	Dsfpk.exe

Executes dropped EXE 4 IoCs

pid	Process
4112	qikfx.exe
4960	qikfx.exe
3792	qikfx.exe
2324	qikfx.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3736 set thread context of 1216	3736	Dsfpk.exe	97
PID 4112 set thread context of 4960	4112	qikfx.exe	102
PID 3792 set thread context of 2324	3792	qikfx.exe	104

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	Dsfpk.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dsfpk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qikfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qikfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qikfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qikfx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Dsfpk.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3736	Dsfpk.exe
4112	qikfx.exe
3792	qikfx.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3736	Dsfpk.exe
Token: SeDebugPrivilege	3736	Dsfpk.exe
Token: SeDebugPrivilege	4112	qikfx.exe
Token: SeDebugPrivilege	4112	qikfx.exe
Token: SeDebugPrivilege	3792	qikfx.exe
Token: SeDebugPrivilege	3792	qikfx.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 3736 wrote to memory of 1216	3736	Dsfpk.exe	97
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 4112 wrote to memory of 4960	4112	qikfx.exe	102
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104
PID 3792 wrote to memory of 2324	3792	qikfx.exe	104

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3524
- C:\Users\Admin\AppData\Local\Temp\Dsfpk.exe
  "C:\Users\Admin\AppData\Local\Temp\Dsfpk.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3736
- C:\Users\Admin\AppData\Local\Temp\Dsfpk.exe
  "C:\Users\Admin\AppData\Local\Temp\Dsfpk.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1216
- C:\ProgramData\kkmrbsl\qikfx.exe
  "C:\ProgramData\kkmrbsl\qikfx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4960
- C:\ProgramData\kkmrbsl\qikfx.exe
  "C:\ProgramData\kkmrbsl\qikfx.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2324

C:\ProgramData\kkmrbsl\qikfx.exe
C:\ProgramData\kkmrbsl\qikfx.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4112

C:\ProgramData\kkmrbsl\qikfx.exe
C:\ProgramData\kkmrbsl\qikfx.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kkmrbsl\qikfx.exe

Filesize
1019KB

MD5
a2db8a666e3c03f04aafd86aa68a0ed1

SHA1
03c31e7c1e3156fdced6cf7345a21c06db1836dc

SHA256
9a3d939bbe9de696c16e62809944be0258ca11c2117381fdc0b5fa1986606191

SHA512
5ffff2f496d2a581d58e87b3a22b076d6ec0b8389f6cacc737c1cd9386ce33cbd873284226d665f4856aa08d5dfde322c3f4bf18254d47ba8b0cbb1e0165c2bf

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
238B

MD5
89569d508c250f9a19edbe2fe6d6cb35

SHA1
49f07066a6653e33332ad46844fcacb1a44576dd

SHA256
9edf30e169f91891ca47476e18d4a0ccb36c99503399e8ebcf51b94ce663c743

SHA512
ab8c49c5859bde35e7fad42eef816058123f9c379a462a6230fa44997e0cce4c2d0c1567272dac0259eb76fb8d0a0ea5ce47bbd1acba4056af9d8f8b33ebb7b7

Download Submit
memory/1216-1201-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/3736-0-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3736-1-0x00000000001B0000-0x00000000002AE000-memory.dmp

Filesize
1016KB

Download
memory/3736-2-0x0000000004C50000-0x0000000004D36000-memory.dmp

Filesize
920KB

Download
memory/3736-16-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-66-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-64-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-62-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-61-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-58-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-56-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-55-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-52-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-48-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-46-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-44-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-42-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-40-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-38-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-37-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-34-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-32-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-30-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-28-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-26-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-24-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-22-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-18-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-14-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-12-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-10-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-8-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-6-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-50-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-4-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-20-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-3-0x0000000004C50000-0x0000000004D31000-memory.dmp

Filesize
900KB

Download
memory/3736-1180-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3736-1179-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3736-1181-0x0000000004DC0000-0x0000000004E18000-memory.dmp

Filesize
352KB

Download
memory/3736-1182-0x0000000004E50000-0x0000000004E9C000-memory.dmp

Filesize
304KB

Download
memory/3736-1183-0x000000007474E000-0x000000007474F000-memory.dmp

Filesize
4KB

Download
memory/3736-1184-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3736-1185-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3736-1186-0x0000000005800000-0x0000000005DA4000-memory.dmp

Filesize
5.6MB

Download
memory/3736-1187-0x0000000004F30000-0x0000000004F84000-memory.dmp

Filesize
336KB

Download
memory/3736-1193-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3736-1196-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/3736-1200-0x0000000074740000-0x0000000074EF0000-memory.dmp

Filesize
7.7MB

Download
memory/4112-1206-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/4112-2384-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4112-2383-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4112-2385-0x00000000740BE000-0x00000000740BF000-memory.dmp

Filesize
4KB

Download
memory/4112-2386-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4112-2391-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4112-2393-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4112-2400-0x00000000740B0000-0x0000000074860000-memory.dmp

Filesize
7.7MB

Download
memory/4960-2401-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download