systembc | dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

General

Target

SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Size

1.6MB
MD5

8c767708c9a9554c0afb504629e75ffd
SHA1

c65394806c0f77af880c7ff8a021bd4222ca3f11
SHA256

dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
SHA512

f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16
SSDEEP

49152:R1aqCQ3KKia9icS8P80nPIIXQocVHmir6QmEGmNyRzs3Xn:R1aA37ia9iJ800QIXQocVHoEGV0

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kjiknxf.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kjiknxf.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kjiknxf.exe

Executes dropped EXE 1 IoCs

pid	Process
2116	kjiknxf.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key opened	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine	kjiknxf.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
5024	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
2116	kjiknxf.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjiknxf.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5024	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
5024	SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
2116	kjiknxf.exe
2116	kjiknxf.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\ProgramData\gededle\kjiknxf.exe
C:\ProgramData\gededle\kjiknxf.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gededle\kjiknxf.exe

Filesize
1.6MB

MD5
8c767708c9a9554c0afb504629e75ffd

SHA1
c65394806c0f77af880c7ff8a021bd4222ca3f11

SHA256
dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

SHA512
f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
242B

MD5
e1b2555ee154babda1db731898bf2113

SHA1
1fec0a1b93e07d9fa73b3dd5512c96c65aafdd27

SHA256
639a7f46e5b167bdc22050a74296fa3484423314bc9442d11fecfa10aea012dd

SHA512
3769e92ed3336c11df052d67da3ba186140e5217efd2d683759adb3bd066a160b099b7f8e26f362aa2dd42185db2c2aef704b3bedc8a168ef3fef328ca7c9d18

Download Submit
memory/2116-20-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-15-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-36-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-35-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-10-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-34-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-33-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-12-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-32-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-24-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-16-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-31-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-18-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-30-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-22-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-28-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2116-29-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-13-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-23-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-25-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-21-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-27-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-3-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-19-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-17-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-0-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-1-0x0000000077D44000-0x0000000077D46000-memory.dmp

Filesize
8KB

Download
memory/5024-9-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/5024-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/5024-6-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads