systembc | 9c2b49dde271accdeb74a011a6091c6d7ed432326d24d424bc547eb57c343a6f

Analysis

max time kernel
145s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/03/2025, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quarantine/soudneff.exe
Size

1.7MB
MD5

efac52cc9304919d4f9e49c56bdbd484
SHA1

68e90fd0a473ba822bb4f708d718afcbbd660850
SHA256

e903bd6ec4817fca7a718b770d6d6a509c7e522cbebb41bd26e48bfe009d0510
SHA512

9185437c21c56772d3dd7172269b3569380b518e78c8cb9dcf947968476d4d79beb2aeb31da66d3736a2a0f3be88d3caf86d9ba79c59608aaca196c409466ada
SSDEEP

49152:dWiPyNzLHax6WxKPQx1GyGe4/xU7VNT1xMJ1NxjnW8EtV:dhGW4OOCbhGQ

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

towerbingobongoboom.com

213.209.150.137

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	soudneff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	dehms.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	soudneff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	soudneff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	dehms.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	dehms.exe

Executes dropped EXE 1 IoCs

pid	Process
2864	dehms.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	soudneff.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Wine	dehms.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1484	soudneff.exe
2864	dehms.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	soudneff.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	soudneff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dehms.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1484	soudneff.exe
2864	dehms.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 2864	2868	taskeng.exe	32
PID 2868 wrote to memory of 2864	2868	taskeng.exe	32
PID 2868 wrote to memory of 2864	2868	taskeng.exe	32
PID 2868 wrote to memory of 2864	2868	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe
"C:\Users\Admin\AppData\Local\Temp\quarantine\soudneff.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1484

C:\Windows\system32\taskeng.exe
taskeng.exe {9606F752-8187-4FF6-AB77-030002174F2E} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2868
- C:\ProgramData\ejqa\dehms.exe
  C:\ProgramData\ejqa\dehms.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ejqa\dehms.exe

Filesize
1.7MB

MD5
efac52cc9304919d4f9e49c56bdbd484

SHA1
68e90fd0a473ba822bb4f708d718afcbbd660850

SHA256
e903bd6ec4817fca7a718b770d6d6a509c7e522cbebb41bd26e48bfe009d0510

SHA512
9185437c21c56772d3dd7172269b3569380b518e78c8cb9dcf947968476d4d79beb2aeb31da66d3736a2a0f3be88d3caf86d9ba79c59608aaca196c409466ada

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
214B

MD5
4887385ed6b14d359e6297c851044acc

SHA1
c0d431751afb63e8fb4beb428bd454003afcc77a

SHA256
5718e266f7a2450202a8967a179986d1288de84848755586f080cab002f38c0e

SHA512
0e25625535d1d4b7aff5a7c12cb4a60dabdb57133b4aa28dc25fed499ffa2e30c3709d3974839d570fe516158cf21a467802f5788479e4c83eb3e95187bc9f62

Download Submit
memory/1484-10-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-11-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-6-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-7-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-8-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-9-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-0-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-4-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1484-26-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-25-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-1-0x0000000077CA0000-0x0000000077CA2000-memory.dmp

Filesize
8KB

Download
memory/1484-23-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/1484-18-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-19-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-28-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-21-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-22-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-17-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-24-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-15-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-14-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-27-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-20-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-29-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-30-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-31-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-32-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-33-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-34-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-35-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download
memory/2864-36-0x0000000000400000-0x0000000000856000-memory.dmp

Filesize
4.3MB

Download