systembc | a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
05/03/2025, 14:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

coredrive.exe
Size

1.6MB
MD5

c6a399eb155322a8cbf1390c118553cb
SHA1

c59b0aa34638e8991358520e29625bb7fb4e3b6b
SHA256

a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221
SHA512

6437b6ea8990130f8e69b113f6ec8310e8831a80a2cf7ef1d8d16b323729a89c4a00a8900030e77f5671a7a40971e519731ec22519d98d7af29577dcb5dfe44e
SSDEEP

49152:R1aqCQ3KKia9icS8P80nPIIXQocVHmir6QmEGmNyRzs3X:R1aA37ia9iJ800QIXQocVHoEGV

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.ak.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
snoopy

Extracted

Credentials

Protocol: smtp
Host:
smtp.ag.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
qzmp01

Extracted

Credentials

Protocol: smtp
Host:
smtp.af.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
junjun26

Extracted

Credentials

Protocol: smtp
Host:
smtp.mediacat.ne.jp
Port:
587
Username:
[email protected]
Password:
380335

Extracted

Credentials

Protocol: smtp
Host:
smtp.ae.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
lavie1027

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
drake97

Extracted

Credentials

Protocol: smtp
Host:
mail.rk-malaysia.com
Port:
587
Username:
[email protected]
Password:
rkm@2019

Extracted

Credentials

Protocol: smtp
Host:
smtp.mediacat.ne.jp
Port:
587
Username:
[email protected]
Password:
mspooh3

Extracted

Credentials

Protocol: smtp
Host:
smtp.ae.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
oceano06

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
chewey01@

Extracted

Credentials

Protocol: smtp
Host:
mail.mcstokes.co.uk
Port:
587
Username:
[email protected]
Password:
Holiday1!

Extracted

Credentials

Protocol: smtp
Host:
smtp.ae.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
skgc4792

Extracted

Credentials

Protocol: smtp
Host:
smtp.ae.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
morimori

Extracted

Credentials

Protocol: smtp
Host:
smtp.frontier.com
Port:
587
Username:
[email protected]
Password:
Sammy1940

Extracted

Credentials

Protocol: smtp
Host:
smtp.ss.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
syunyou1217

Extracted

Credentials

Protocol: smtp
Host:
smtp.ca.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
snoopy

Extracted

Credentials

Protocol: smtp
Host:
smtp.aw.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
torajiro

Extracted

Credentials

Protocol: smtp
Host:
smtp.aw.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
knfymxed

Extracted

Credentials

Protocol: smtp
Host:
smtp.aw.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
sasaki

Extracted

Credentials

Protocol: smtp
Host:
smtp.aw.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
460831

Extracted

Credentials

Protocol: smtp
Host:
smtp.aw.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
132764

Extracted

Credentials

Protocol: smtp
Host:
smtp.an.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
tera1014

Extracted

Credentials

Protocol: smtp
Host:
smtp.an.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
sk1222

Extracted

Credentials

Protocol: smtp
Host:
smtp.cg.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
pripri227

Extracted

Credentials

Protocol: smtp
Host:
smtp.ll.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
nymi0531

Extracted

Credentials

Protocol: smtp
Host:
smtp.ll.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
team2000

Extracted

Credentials

Protocol: smtp
Host:
smtp.ll.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
nickfaldo

Extracted

Credentials

Protocol: smtp
Host:
smtp.ah.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
661224

Extracted

Credentials

Protocol: smtp
Host:
smtp.ah.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
shizu1216

Extracted

Credentials

Protocol: smtp
Host:
smtp.ah.em-net.ne.jp
Port:
587
Username:
[email protected]
Password:
morse0901

Extracted

Credentials

Protocol: smtp
Host:
smtp.ah.em-net.ne.jp
Port:
587
Username:
[email protected]

Extracted

Credentials

Protocol: smtp
Host:
mail.katch.ne.jp
Port:
587
Username:
[email protected]

Extracted

Family

systembc

towerbingobongoboom.com

62.60.226.86

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	igfg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	coredrive.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	coredrive.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	igfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	igfg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	coredrive.exe

Executes dropped EXE 1 IoCs

pid	Process
2904	igfg.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	coredrive.exe
Key opened	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Wine	igfg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1812	coredrive.exe
2904	igfg.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	coredrive.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coredrive.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	igfg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1812	coredrive.exe
2904	igfg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2904	2796	taskeng.exe	32
PID 2796 wrote to memory of 2904	2796	taskeng.exe	32
PID 2796 wrote to memory of 2904	2796	taskeng.exe	32
PID 2796 wrote to memory of 2904	2796	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\coredrive.exe
"C:\Users\Admin\AppData\Local\Temp\coredrive.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1812

C:\Windows\system32\taskeng.exe
taskeng.exe {731D188C-70B7-44CB-BD59-E8F19DD72745} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\ProgramData\kgedb\igfg.exe
  C:\ProgramData\kgedb\igfg.exe
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kgedb\igfg.exe

Filesize
1.6MB

MD5
c6a399eb155322a8cbf1390c118553cb

SHA1
c59b0aa34638e8991358520e29625bb7fb4e3b6b

SHA256
a7c8390922ecfe4e4be4c9ffff567e91298a8bbf96dc96318305f45ec59f5221

SHA512
6437b6ea8990130f8e69b113f6ec8310e8831a80a2cf7ef1d8d16b323729a89c4a00a8900030e77f5671a7a40971e519731ec22519d98d7af29577dcb5dfe44e

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
214B

MD5
df9d2178e626c597a5cf0a51b5ce38b3

SHA1
b52431520491936688d4c48d4ed820fa2eaee5d1

SHA256
b17547bf57baed3d1c08cc5a84fccefd394affbdc912a74efc19ded10d66ec08

SHA512
f5e0a4ef6be0421413cfae340030f6754690b1adabdff6e6a57846aff93a24e39b98cd99e8284d9dc5ae9e8c601744cf7ffc2dd91748e4e1ca4d0c90093eed8f

Download Submit
memory/1812-6-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-28-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-20-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-7-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-8-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-9-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1812-4-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-26-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-1-0x00000000774D0000-0x00000000774D2000-memory.dmp

Filesize
8KB

Download
memory/1812-24-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-16-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-22-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1812-0-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-21-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-29-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-18-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-17-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-23-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-14-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-25-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-13-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-12-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-19-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-30-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-31-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-32-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-33-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-34-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-35-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-36-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-37-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-38-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2904-39-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download