systembc | 936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107

General

Target

feedlablest.exe
Size

1.6MB
MD5

f53198e8b444658cf7134f5ccb466a98
SHA1

0283e56ed7201eecfc7dad30cc6f3f30d677be66
SHA256

936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107
SHA512

ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09
SSDEEP

49152:R1aqCQ3KKia9icS8P80nPIIXQocVHmir6QmEGmNyRzs3X0W:R1aA37ia9iJ800QIXQocVHoEGVM

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	feedlablest.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	prujkfc.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	feedlablest.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	feedlablest.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	prujkfc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	prujkfc.exe

Executes dropped EXE 1 IoCs

pid	Process
760	prujkfc.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Wine	feedlablest.exe
Key opened	\REGISTRY\USER\S-1-5-21-2287204051-441334380-1151193565-1000\Software\Wine	prujkfc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4944	feedlablest.exe
760	prujkfc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Test Task17.job	feedlablest.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	feedlablest.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	prujkfc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4944	feedlablest.exe
4944	feedlablest.exe
760	prujkfc.exe
760	prujkfc.exe

C:\Users\Admin\AppData\Local\Temp\feedlablest.exe
"C:\Users\Admin\AppData\Local\Temp\feedlablest.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4100,i,8425512666034524542,4476834323552806530,262144 --variations-seed-version --mojo-platform-channel-handle=3364 /prefetch:14
1⤵
PID:5108

C:\ProgramData\qkdwna\prujkfc.exe
C:\ProgramData\qkdwna\prujkfc.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=4108,i,8425512666034524542,4476834323552806530,262144 --variations-seed-version --mojo-platform-channel-handle=5004 /prefetch:14
1⤵
PID:5220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\qkdwna\prujkfc.exe

Filesize
1.6MB

MD5
f53198e8b444658cf7134f5ccb466a98

SHA1
0283e56ed7201eecfc7dad30cc6f3f30d677be66

SHA256
936004bbb9d3c4763c0e36cc887b21315ae6c2d55c366cb3b3390d480b827107

SHA512
ee40f63f7b75cc1b55d11c56c25086d2d66ae86a3f65326d5a75cf0f2fac94ebee622cd4844b4f6468b2bfd011ab80558f41e1b62d2a7864b0ce7f61d3bdcf09

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
240B

MD5
d1ad714f83eb4c269a1dfa5028e5ee37

SHA1
22ba031bc9655e9f07501ce2f9a46c30a37b59c3

SHA256
4cb00efc5a379c0f6bc57c85825d7c803eb5c7731ba4c53a3be83e4427b5192c

SHA512
9a56a4334c5c1fb2186e70a947979248df550dc6266ba3cbe0d4cb6c8ec4916820b6d6123aedd6c45acc00708078f6c8da21b1d0ce3f5652d4bdf880757d7331

Download Submit
memory/760-19-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-14-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-36-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-35-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-34-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-10-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-33-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-12-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-21-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-25-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-15-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-16-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-17-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-32-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-31-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-30-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-29-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-28-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/760-23-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-22-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-24-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-26-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-27-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-20-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-13-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-0-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-3-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-18-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-1-0x00000000775D6000-0x00000000775D8000-memory.dmp

Filesize
8KB

Download
memory/4944-9-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/4944-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/4944-6-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads