systembc | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

General

Target

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Size

452KB
MD5

a9749ee52eefb0fd48a66527095354bb
SHA1

78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512

9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25
SSDEEP

12288:Rib1rFTRH6serb/p93j6fGMWP1N72h8xp:IH659m+Mk1YW

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Attributes

dns
5.132.191.104

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	axac.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	effectson.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
27	828	Gxtuum.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	effectson.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	effectson.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	axac.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	axac.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation	Gxtuum.exe

Executes dropped EXE 6 IoCs

pid	Process
828	Gxtuum.exe
2672	effectson.exe
980	axac.exe
1720	Gxtuum.exe
4804	Gxtuum.exe
3016	Gxtuum.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	effectson.exe
Key opened	\REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Wine	axac.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2672	effectson.exe
980	axac.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
File created	C:\Windows\Tasks\Test Task17.job	effectson.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	effectson.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	axac.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2672	effectson.exe
2672	effectson.exe
980	axac.exe
980	axac.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4768	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 828	4768	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	89
PID 4768 wrote to memory of 828	4768	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	89
PID 4768 wrote to memory of 828	4768	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	89
PID 828 wrote to memory of 2672	828	Gxtuum.exe	94
PID 828 wrote to memory of 2672	828	Gxtuum.exe	94
PID 828 wrote to memory of 2672	828	Gxtuum.exe	94

C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Users\Admin\AppData\Roaming\10000790100\effectson.exe
    "C:\Users\Admin\AppData\Roaming\10000790100\effectson.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2672

C:\ProgramData\lxog\axac.exe
C:\ProgramData\lxog\axac.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:980

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4804

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Roaming\10000790100\effectson.exe

Filesize
1.7MB

MD5
3b4723591e7a82dc45cdd60b2162eee2

SHA1
9618f544c79dbae11634fc14bd472b3cb5eb046d

SHA256
1582d61232dff45c014769e9be4fb06f839ee3e462189dbbf28ca0380a6fa410

SHA512
1559f42a1dbdf1f78f971415f3252a1127ebd2f3490a374a13670fc366b54f50c58bac8234d30a43b3345fbecdf49f65b69500675887c81fa45bc06311917380

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
230B

MD5
59b90faac9bd124f998ba57ff3e6c920

SHA1
48e87551cac427cdbd15a2fa5e9eb9dd7422d8be

SHA256
07b5f7e234eb45c19edfa8e43f9f1db52d71376585fbf3c733db5e75fb481f07

SHA512
f8a6baf7a54d7144534f690a5c6d588cce6ab289c0fbf0b704b390d479e84ae57e8dfa29070b28396e94290a25b8bf33a61867ca1a0ff057b962abb774e1325f

Download Submit
memory/980-47-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-49-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-56-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-54-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-34-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-53-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-52-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-38-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-51-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-40-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-50-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-42-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/980-44-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-43-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-45-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-25-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-29-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-41-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-39-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-37-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-26-0x00007FFED37D0000-0x00007FFED39C5000-memory.dmp

Filesize
2.0MB

Download
memory/2672-31-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/2672-30-0x00007FFED37D0000-0x00007FFED39C5000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads