systembc | e3cb8ecc9db3aba3be4aa8e721b5415ec26437fd4c2d0768af692f7cc39ec12a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.2MB
MD5

559321a213a4b595bf07b50e8c8dbb72
SHA1

06bc1922faa56c961b10170e04b9743cc326c521
SHA256

e3cb8ecc9db3aba3be4aa8e721b5415ec26437fd4c2d0768af692f7cc39ec12a
SHA512

76fb3cbf467b12c5852e2f6f230bd8de58c4ec96fbb1c1f813a9e6796abb5d394661098d02d70d7f7b61f1693ff3285fd6429c3f7182a4f066409f62d2bfd691
SSDEEP

24576:QViZKZpgKSpqLffqTlEVMjTUeasefzIwwZfImCQMFX023Eyp8uR:MZpgZqLqyKXlasuGImCjFXNC

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 4232 created 3448	4232	file.exe	56
PID 2084 created 3448	2084	swdkg.exe	56
PID 1372 created 3448	1372	swdkg.exe	56

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc
Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
2084	swdkg.exe
4024	swdkg.exe
1372	swdkg.exe
264	swdkg.exe
1676	okqkq.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4232 set thread context of 4772	4232	file.exe	95
PID 2084 set thread context of 4024	2084	swdkg.exe	101
PID 1372 set thread context of 264	1372	swdkg.exe	103

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	file.exe
File created	C:\Windows\Tasks\pjvkiovgsupkihvmews.job	swdkg.exe
File opened for modification	C:\Windows\Tasks\pjvkiovgsupkihvmews.job	swdkg.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	swdkg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	okqkq.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4232	file.exe
4232	file.exe
4232	file.exe
2084	swdkg.exe
2084	swdkg.exe
2084	swdkg.exe
1372	swdkg.exe
1372	swdkg.exe
1372	swdkg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4232	file.exe
Token: SeDebugPrivilege	4232	file.exe
Token: SeDebugPrivilege	2084	swdkg.exe
Token: SeDebugPrivilege	2084	swdkg.exe
Token: SeDebugPrivilege	1372	swdkg.exe
Token: SeDebugPrivilege	1372	swdkg.exe
Token: SeDebugPrivilege	1676	okqkq.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 4232 wrote to memory of 4772	4232	file.exe	95
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 2084 wrote to memory of 4024	2084	swdkg.exe	101
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103
PID 1372 wrote to memory of 264	1372	swdkg.exe	103

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4772
- C:\ProgramData\mrhie\swdkg.exe
  "C:\ProgramData\mrhie\swdkg.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4024
- C:\ProgramData\mrhie\swdkg.exe
  "C:\ProgramData\mrhie\swdkg.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:264

C:\ProgramData\mrhie\swdkg.exe
C:\ProgramData\mrhie\swdkg.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2084

C:\ProgramData\mrhie\swdkg.exe
C:\ProgramData\mrhie\swdkg.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\okqkq.exe
C:\Users\Admin\AppData\Local\Temp\okqkq.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mrhie\swdkg.exe

Filesize
1.2MB

MD5
559321a213a4b595bf07b50e8c8dbb72

SHA1
06bc1922faa56c961b10170e04b9743cc326c521

SHA256
e3cb8ecc9db3aba3be4aa8e721b5415ec26437fd4c2d0768af692f7cc39ec12a

SHA512
76fb3cbf467b12c5852e2f6f230bd8de58c4ec96fbb1c1f813a9e6796abb5d394661098d02d70d7f7b61f1693ff3285fd6429c3f7182a4f066409f62d2bfd691

Download Submit
C:\Users\Admin\AppData\Local\Temp\okqkq.exe

Filesize
1.2MB

MD5
c306310f6b7674b64e7c48e46d480509

SHA1
0e75e48e8e63f081ee79aaf3bc70004d40f00b08

SHA256
c477f22f36f0c7e272e694e0e630996f6bfdbf5ba93296dabe63581ab8ca96f6

SHA512
73a7035def27aa1fc7748e5f25d98c569534e7bb8c5d65731fcf2ae26e6a2101e635f26548f7b759fcc0bc5b5f32a0f9f0888e51e03f7287ed67feef625ff711

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
234B

MD5
e4bba60752b61d4717e9f6c09430a295

SHA1
9d93500fd96a5f0cfdd11dd1f7bb7111abafb753

SHA256
3bb050855563d4b082e5644688ee6408a569860336da2832de107d671f782132

SHA512
3c5c5e7705f0bae35a74a5f3b28a9495bc92ff2d19d1cbda22d14d170db71a1c9fc31686e57b6ffb0b5d4f14ba984b71e0ee7aad8d0480da869942133e3fe034

Download Submit
memory/1676-4034-0x00000000005E0000-0x0000000000718000-memory.dmp

Filesize
1.2MB

Download
memory/1676-5360-0x00000000053F0000-0x0000000005446000-memory.dmp

Filesize
344KB

Download
memory/1676-5359-0x0000000005390000-0x00000000053E8000-memory.dmp

Filesize
352KB

Download
memory/1676-4036-0x0000000005130000-0x000000000522E000-memory.dmp

Filesize
1016KB

Download
memory/1676-4035-0x0000000005030000-0x000000000512E000-memory.dmp

Filesize
1016KB

Download
memory/2084-2692-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2084-2678-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2084-2679-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/2084-1355-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2084-2693-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2084-2686-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2084-2681-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/2084-2680-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4024-2695-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4232-16-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-1329-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-58-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-56-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-54-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-52-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-50-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-48-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-46-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-44-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-42-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-40-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-38-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-35-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-30-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-29-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-22-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-62-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-14-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-12-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-9-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-7-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-36-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-32-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-26-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-25-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-10-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-60-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-1330-0x0000000005640000-0x0000000005698000-memory.dmp

Filesize
352KB

Download
memory/4232-1331-0x00000000057A0000-0x00000000057F6000-memory.dmp

Filesize
344KB

Download
memory/4232-1332-0x0000000005840000-0x000000000588C000-memory.dmp

Filesize
304KB

Download
memory/4232-1333-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4232-1334-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-1335-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-1336-0x00000000058F0000-0x0000000005944000-memory.dmp

Filesize
336KB

Download
memory/4232-1340-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-64-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-68-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-70-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-66-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-20-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-18-0x0000000005360000-0x0000000005459000-memory.dmp

Filesize
996KB

Download
memory/4232-6-0x0000000005550000-0x00000000055E2000-memory.dmp

Filesize
584KB

Download
memory/4232-5-0x0000000005A10000-0x0000000005FB4000-memory.dmp

Filesize
5.6MB

Download
memory/4232-4-0x0000000005360000-0x000000000545E000-memory.dmp

Filesize
1016KB

Download
memory/4232-3-0x00000000051F0000-0x00000000052EE000-memory.dmp

Filesize
1016KB

Download
memory/4232-2-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-1-0x0000000000760000-0x0000000000898000-memory.dmp

Filesize
1.2MB

Download
memory/4232-0-0x00000000745DE000-0x00000000745DF000-memory.dmp

Filesize
4KB

Download
memory/4232-1349-0x0000000002E3F000-0x0000000002E40000-memory.dmp

Filesize
4KB

Download
memory/4232-1348-0x0000000002DD2000-0x0000000002DD3000-memory.dmp

Filesize
4KB

Download
memory/4232-1346-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4232-1352-0x00000000745D0000-0x0000000074D80000-memory.dmp

Filesize
7.7MB

Download
memory/4772-1347-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download