systembc | b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

General

Target

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Size

452KB
MD5

a9749ee52eefb0fd48a66527095354bb
SHA1

78170bcc54e1f774528dea3118b50ffc46064fe0
SHA256

b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15
SHA512

9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25
SSDEEP

12288:Rib1rFTRH6serb/p93j6fGMWP1N72h8xp:IH659m+Mk1YW

Score

10^/10

systembc defense_evasion discovery trojan

Malware Config

Extracted

Family

systembc

C2

towerbingobongoboom.com

62.60.226.86

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Systembc family
systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	cubrodriver.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	kjkdn.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
25	2148	Gxtuum.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cubrodriver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	cubrodriver.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	kjkdn.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	kjkdn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Key value queried	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation	Gxtuum.exe

Executes dropped EXE 6 IoCs

pid	Process
2148	Gxtuum.exe
4396	cubrodriver.exe
1364	Gxtuum.exe
4260	Gxtuum.exe
1048	kjkdn.exe
4668	Gxtuum.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

defense_evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	kjkdn.exe
Key opened	\REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine	cubrodriver.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4396	cubrodriver.exe
1048	kjkdn.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Gxtuum.job	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
File created	C:\Windows\Tasks\Test Task17.job	cubrodriver.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Gxtuum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cubrodriver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kjkdn.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4396	cubrodriver.exe
4396	cubrodriver.exe
1048	kjkdn.exe
1048	kjkdn.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1640 wrote to memory of 2148	1640	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	87
PID 1640 wrote to memory of 2148	1640	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	87
PID 1640 wrote to memory of 2148	1640	b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe	87
PID 2148 wrote to memory of 4396	2148	Gxtuum.exe	95
PID 2148 wrote to memory of 4396	2148	Gxtuum.exe	95
PID 2148 wrote to memory of 4396	2148	Gxtuum.exe	95

C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe
"C:\Users\Admin\AppData\Local\Temp\b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
  "C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe
    "C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4396

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4260

C:\ProgramData\mcrjdx\kjkdn.exe
C:\ProgramData\mcrjdx\kjkdn.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1048

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
1⤵
- Executes dropped EXE
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

4

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Filesize
452KB

MD5
a9749ee52eefb0fd48a66527095354bb

SHA1
78170bcc54e1f774528dea3118b50ffc46064fe0

SHA256
b1663d4497ddd27a59f090b72adcedddac51724a1c126f7d6469f8045d065e15

SHA512
9d21f0e1e376b89df717403a3939ed86ef61095bb9f0167ff15c01d3bbbee03d4dd01b3e2769ecd921e40e43bab3cbf0a6844ab6f296982227b0cb507b4b0e25

Download Submit
C:\Users\Admin\AppData\Roaming\10000840100\cubrodriver.exe

Filesize
1.7MB

MD5
190272ebd2e82a80b242b1bdd442b859

SHA1
fceb12a205c28c30b2049c55924a9872a1a3eb71

SHA256
c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131

SHA512
f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

Download Submit
C:\Windows\Tasks\Test Task17.job

Filesize
236B

MD5
71f464e5b740c4741ee2f47f89b3d421

SHA1
bd873a4c7b894727f04816dfe420c23dac4bbbde

SHA256
e8e69e5e44718e05cbbff8d9c6b56c68446974d66c6007f83258fa6d8ec16f1d

SHA512
068296a6e5df69f49f7778b57df187f7802c7e2a12fcd11363a0443532514ffefcb1111335b6b19bd6b35f335f70d303f3d755a726b28a8e0fde9c79be484b92

Download Submit
memory/1048-45-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-55-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-54-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-52-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-51-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-50-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-49-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/1048-48-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-32-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-35-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-39-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-40-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-42-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-37-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-36-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-38-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-34-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-33-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-29-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download
memory/4396-27-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/4396-26-0x0000000077C24000-0x0000000077C26000-memory.dmp

Filesize
8KB

Download
memory/4396-25-0x0000000000400000-0x0000000000840000-memory.dmp

Filesize
4.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads