systembc | a37cd6051edefa788e7cc5b863ef71f6c90c2def033c710f43840ee936f0bfaf

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 18:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

1.2MB
MD5

4c8ac513a1b3c3ff79bbe5c00e79fb1e
SHA1

193102b18ef58c2e0c07fe9c3e6c184b327bc10d
SHA256

a37cd6051edefa788e7cc5b863ef71f6c90c2def033c710f43840ee936f0bfaf
SHA512

8d5ce42d71d9e30d15b8c5ac9a7fb89f1966f944ab6a218734eeaf64d6a7cad9d3de50a916103beef4a1d93fc9ce95e6b65fb7442871fe44a8fabeaf2c458380
SSDEEP

24576:BwKDe573ai3r6ZamY44kRy7F7XZrAI/F466x7NkHJ3ZahOLHxkX1:5q53rr6HDBy7F7JrZu5MJpCwRkX

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3172 created 3500	3172	file.exe	56
PID 3976 created 3500	3976	gdbb.exe	56
PID 1460 created 3500	1460	gdbb.exe	56

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windsc.vbs	file.exe

Executes dropped EXE 4 IoCs

pid	Process
3976	gdbb.exe
3188	gdbb.exe
1460	gdbb.exe
4436	gdbb.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3172 set thread context of 4276	3172	file.exe	89
PID 3976 set thread context of 3188	3976	gdbb.exe	93
PID 1460 set thread context of 4436	1460	gdbb.exe	95

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	file.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdbb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gdbb.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
3172	file.exe
3172	file.exe
3172	file.exe
3976	gdbb.exe
3976	gdbb.exe
3976	gdbb.exe
1460	gdbb.exe
1460	gdbb.exe
1460	gdbb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	file.exe
Token: SeDebugPrivilege	3172	file.exe
Token: SeDebugPrivilege	3976	gdbb.exe
Token: SeDebugPrivilege	3976	gdbb.exe
Token: SeDebugPrivilege	1460	gdbb.exe
Token: SeDebugPrivilege	1460	gdbb.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3172 wrote to memory of 4276	3172	file.exe	89
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 3976 wrote to memory of 3188	3976	gdbb.exe	93
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95
PID 1460 wrote to memory of 4436	1460	gdbb.exe	95

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:4276
- C:\ProgramData\lnrulhv\gdbb.exe
  "C:\ProgramData\lnrulhv\gdbb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3188
- C:\ProgramData\lnrulhv\gdbb.exe
  "C:\ProgramData\lnrulhv\gdbb.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4436

C:\ProgramData\lnrulhv\gdbb.exe
C:\ProgramData\lnrulhv\gdbb.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976

C:\ProgramData\lnrulhv\gdbb.exe
C:\ProgramData\lnrulhv\gdbb.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\lnrulhv\gdbb.exe

Filesize
1.2MB

MD5
4c8ac513a1b3c3ff79bbe5c00e79fb1e

SHA1
193102b18ef58c2e0c07fe9c3e6c184b327bc10d

SHA256
a37cd6051edefa788e7cc5b863ef71f6c90c2def033c710f43840ee936f0bfaf

SHA512
8d5ce42d71d9e30d15b8c5ac9a7fb89f1966f944ab6a218734eeaf64d6a7cad9d3de50a916103beef4a1d93fc9ce95e6b65fb7442871fe44a8fabeaf2c458380

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
236B

MD5
9ca1787c667a0c8a724b4ab94ca311ee

SHA1
6adab2194eb187b6e4da854940d9b430eb05627f

SHA256
8484b462eb4338f376b6d7530817de297533519087b9149903534a9ecb1210e9

SHA512
93394ffa6131e89b9175de21c3046ac5c27050e6479b582ce513b97248a797b85ebf25fb0dba3bb9860f9880f4464546a60f9237bdd2a8da778e9c8115857183

Download Submit
memory/3172-0-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/3172-1-0x0000000000740000-0x0000000000878000-memory.dmp

Filesize
1.2MB

Download
memory/3172-2-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-3-0x00000000052E0000-0x00000000053DE000-memory.dmp

Filesize
1016KB

Download
memory/3172-4-0x00000000053E0000-0x00000000054DE000-memory.dmp

Filesize
1016KB

Download
memory/3172-6-0x0000000005580000-0x0000000005612000-memory.dmp

Filesize
584KB

Download
memory/3172-5-0x0000000005A90000-0x0000000006034000-memory.dmp

Filesize
5.6MB

Download
memory/3172-18-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-64-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-70-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-68-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-66-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-62-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-60-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-58-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-56-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-54-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-52-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-48-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-46-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-44-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-42-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-40-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-38-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-36-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-32-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-30-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-28-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-26-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-24-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-20-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-16-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-14-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-12-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-50-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-10-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-8-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-7-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-34-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-22-0x00000000053E0000-0x00000000054D9000-memory.dmp

Filesize
996KB

Download
memory/3172-1329-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1330-0x0000000005620000-0x0000000005678000-memory.dmp

Filesize
352KB

Download
memory/3172-1331-0x0000000005780000-0x00000000057D6000-memory.dmp

Filesize
344KB

Download
memory/3172-1332-0x0000000005810000-0x000000000585C000-memory.dmp

Filesize
304KB

Download
memory/3172-1333-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/3172-1334-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1335-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1336-0x0000000005680000-0x00000000056D4000-memory.dmp

Filesize
336KB

Download
memory/3172-1342-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1350-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1349-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3172-1344-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3188-2697-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3976-1356-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/3976-1357-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2680-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2681-0x00000000752DE000-0x00000000752DF000-memory.dmp

Filesize
4KB

Download
memory/3976-2682-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2683-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2688-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2700-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2698-0x0000000002B6D000-0x0000000002B6E000-memory.dmp

Filesize
4KB

Download
memory/3976-2696-0x00000000752D0000-0x0000000075A80000-memory.dmp

Filesize
7.7MB

Download
memory/3976-2699-0x00000000029FF000-0x0000000002A00000-memory.dmp

Filesize
4KB

Download
memory/4276-1351-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download