systembc | e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9

General

Target

3e7fb15093287d6e06313027be35bf6d.exe
Size

328KB
MD5

3e7fb15093287d6e06313027be35bf6d
SHA1

4cb59e23f295f7d58f47aae7dccff55d17269765
SHA256

e3d0de327842dd2de91dea4ac6f9a710b1e97f57421200eae2415663651d60b9
SHA512

bd08fd6d1d594ebbb9c1f1977e0a36d646d9f9de79e2bd43d35530ced07a3998eef8013632870c44b60d68dafa3d8d6a9c540dfb31970be1896fd5105d9d4afe

Score

10^/10

systembc taurus discovery spyware stealer trojan upx

Malware Config

Extracted

Family

systembc

C2

dl-link.network:4153

dl-link.club:4153

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Taurus Stealer
Taurus is an infostealer first seen in June 2020.
trojan stealer taurus

Taurus Stealer Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3084-3-0x00000000001C0000-0x00000000001F6000-memory.dmp	family_taurus_stealer
behavioral2/memory/3084-4-0x0000000000400000-0x0000000000437000-memory.dmp	family_taurus_stealer

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

jggjkIhB.exejggjkIhB.exeuxwq.exeuxwq.exe

pid process

4064 jggjkIhB.exe
3552 jggjkIhB.exe
3124 uxwq.exe
2064 uxwq.exe

pid	process
4064	jggjkIhB.exe
3552	jggjkIhB.exe
3124	uxwq.exe
2064	uxwq.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe	upx
C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe	upx
C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe	upx
C:\Windows\Temp\uxwq.exe	upx
C:\Windows\TEMP\uxwq.exe	upx
C:\Windows\Temp\uxwq.exe	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 5 IoCs

Processes:

jggjkIhB.exejggjkIhB.exeuxwq.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	jggjkIhB.exe
File opened for modification	C:\Windows\Tasks\wow64.job	jggjkIhB.exe
File created	C:\Windows\Tasks\cnilnenpgwgvgpgvgof.job	jggjkIhB.exe
File created	C:\Windows\Tasks\wow64.job	uxwq.exe
File opened for modification	C:\Windows\Tasks\wow64.job	uxwq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3e7fb15093287d6e06313027be35bf6d.exe

description	pid	process	target process
PID 3084 wrote to memory of 4064	3084	3e7fb15093287d6e06313027be35bf6d.exe	jggjkIhB.exe
PID 3084 wrote to memory of 4064	3084	3e7fb15093287d6e06313027be35bf6d.exe	jggjkIhB.exe
PID 3084 wrote to memory of 4064	3084	3e7fb15093287d6e06313027be35bf6d.exe	jggjkIhB.exe

C:\Users\Admin\AppData\Local\Temp\3e7fb15093287d6e06313027be35bf6d.exe
"C:\Users\Admin\AppData\Local\Temp\3e7fb15093287d6e06313027be35bf6d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe
"C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4064

C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe
C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3552

C:\Windows\TEMP\uxwq.exe
C:\Windows\TEMP\uxwq.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3124

C:\Windows\TEMP\uxwq.exe
C:\Windows\TEMP\uxwq.exe start
1⤵
- Executes dropped EXE
PID:2064

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\jggjkIhB.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Windows\TEMP\uxwq.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Windows\Tasks\wow64.job
MD5
9757a43721ee9e0cd64f0b59d863c3ea

SHA1
a34d28f6429cb437ec9b6664d9d7a2ae2d9f0fc4

SHA256
9751352b2b152ab3b4c81ff7c6cec7aff39e7f20289d0809c4df0aee213cf6ed

SHA512
aadcfc3a4b4d17974f21d3fb1e0c9673a62f467e0d73ddb37b795a736834252aa622bae5120edbc0a2891395f55e7e91f2c50782ad65c0034f2d08416701f820

Download Submit
C:\Windows\Temp\uxwq.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
C:\Windows\Temp\uxwq.exe
MD5
8062878d5d1560c72c4043058d81261e

SHA1
5846e13d09a03fcd87a354d2ac309782bfe6cbcc

SHA256
4c04dce0d2aa3fbecd1951f680bff98c2c8c11af54103e6e0aa0bb358a5c0824

SHA512
ac48a9d5941ac0577cfb7746087a2d8753ff00b7287b12da66c1ad3b3b4a57b62c8f5f1a17f27bff7cc513a5b69fd7ae13ac16fbc9e9cc48e6c15e7aedfbaf74

Download Submit
memory/2064-21-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/3084-2-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3084-4-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/3084-3-0x00000000001C0000-0x00000000001F6000-memory.dmp

Filesize
216KB

Download
memory/3124-17-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3552-12-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/4064-5-0x0000000000000000-mapping.dmp

Download
memory/4064-9-0x0000000000030000-0x0000000000035000-memory.dmp

Filesize
20KB

Download
memory/4064-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4064-8-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads