systembc | d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3

General

Target

d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
Size

1.7MB
MD5

35be87c37074612e552d655637c59a0f
SHA1

d97b62245300b82004df138404e1863f7923de5c
SHA256

d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3
SHA512

7c5862ce057d1b38c3ea836f78585efb4c6c914aea1ac5e2ac757525d33f092a3e4f76c7ae7433df3d4995d3bbe6fe99728653123dbcf5bcb1f8d20badab34fa
SSDEEP

49152:82DaBnPGGeftb0jn+yMVR6n9rMZzpornZoV:8LBP9ef9xrR6n9Ezpoq

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

C2

wodresomdaymomentum.org

Attributes

dns
5.132.191.104

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	knft.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	knft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	knft.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe

Executes dropped EXE 1 IoCs

pid	Process
700	knft.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
Key opened	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Wine	knft.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2172	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
700	knft.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	knft.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
700	knft.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 700	568	taskeng.exe	30
PID 568 wrote to memory of 700	568	taskeng.exe	30
PID 568 wrote to memory of 700	568	taskeng.exe	30
PID 568 wrote to memory of 700	568	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe
"C:\Users\Admin\AppData\Local\Temp\d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2172

C:\Windows\system32\taskeng.exe
taskeng.exe {BDDAF30A-7483-4256-B65C-52316DC98628} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\ProgramData\kmita\knft.exe
  C:\ProgramData\kmita\knft.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kmita\knft.exe

Filesize
1.7MB

MD5
35be87c37074612e552d655637c59a0f

SHA1
d97b62245300b82004df138404e1863f7923de5c

SHA256
d98d8488c405182e03c95b78692ca0bab65ade4838042aae4b3f0de662495ed3

SHA512
7c5862ce057d1b38c3ea836f78585efb4c6c914aea1ac5e2ac757525d33f092a3e4f76c7ae7433df3d4995d3bbe6fe99728653123dbcf5bcb1f8d20badab34fa

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
214B

MD5
4b5cefb2ee7aa0ea90bab1fc6076467e

SHA1
f1358bfa19a25a9dff2d32b71b4fed5f8088e698

SHA256
a3d8cf720306b71d1dcf660577edc97a86928eaf266ad7ce9123a48aeae24c41

SHA512
1fb60d180357bfa1600d99a50163a1a3fb6203961f926b994ea2a4fb42fdb2b323ab91313b547483d5962501c4551643e96634d8765ec6279dd71e71576a57b4

Download Submit
memory/700-24-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-28-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-33-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-32-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-31-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-30-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-29-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-16-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-27-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-26-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-15-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-21-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-18-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-25-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-23-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/700-22-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-12-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-8-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-6-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-0-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-1-0x0000000077500000-0x0000000077502000-memory.dmp

Filesize
8KB

Download
memory/2172-2-0x0000000000401000-0x0000000000406000-memory.dmp

Filesize
20KB

Download
memory/2172-3-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-11-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-10-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-9-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-20-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-7-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download
memory/2172-19-0x0000000000400000-0x0000000000870000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads