systembc | dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

General

Target

SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Size

1.6MB
MD5

8c767708c9a9554c0afb504629e75ffd
SHA1

c65394806c0f77af880c7ff8a021bd4222ca3f11
SHA256

dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
SHA512

f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16
SSDEEP

49152:R1aqCQ3KKia9icS8P80nPIIXQocVHmir6QmEGmNyRzs3Xn:R1aA37ia9iJ800QIXQocVHoEGV0

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	afmu.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	afmu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	afmu.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe

Executes dropped EXE 1 IoCs

pid	Process
2808	afmu.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key opened	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine	afmu.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3020	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
2808	afmu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afmu.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3020	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
2808	afmu.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2808	2732	taskeng.exe	31
PID 2732 wrote to memory of 2808	2732	taskeng.exe	31
PID 2732 wrote to memory of 2808	2732	taskeng.exe	31
PID 2732 wrote to memory of 2808	2732	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\system32\taskeng.exe
taskeng.exe {67060C41-8D9D-42E1-8A5E-11F7351700E4} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2732
- C:\ProgramData\nenpjl\afmu.exe
  C:\ProgramData\nenpjl\afmu.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nenpjl\afmu.exe

Filesize
1.6MB

MD5
8c767708c9a9554c0afb504629e75ffd

SHA1
c65394806c0f77af880c7ff8a021bd4222ca3f11

SHA256
dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

SHA512
f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
216B

MD5
83e0683daf1c1325854d01136815b118

SHA1
0a5d3db62b1f12d8c9e29e8d3f77d50dd03e2fd3

SHA256
7a7a7f8587dfafddc99ac19cf2865ba7a64c63aac2aaeae528db769aa55e191a

SHA512
ff296d2039735803d29fa6a09473adc5e4b24d6936f36d5141312fb71e8f0ef1dc78aeb0cfc9c370e21d022be5fb4525a7447d27dba1f449d9a217097da1bafb

Download Submit
memory/2808-28-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-32-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-36-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-35-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-9-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-34-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-11-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-33-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-13-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-24-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-15-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-16-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-31-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-18-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-30-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-29-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-27-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-22-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2808-20-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-21-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-25-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-23-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-0-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-19-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-4-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-17-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-14-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-1-0x0000000077700000-0x0000000077702000-memory.dmp

Filesize
8KB

Download
memory/3020-10-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3020-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/3020-6-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads