systembc | 353960d78bf700a0b4a0ea1d41df188f0cc0a3c5a178b73ac64aca01ee3fdb4d

Analysis

max time kernel
128s
max time network
153s
platform
windows10_x64
resource
win10v20210410
submitted
21-07-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

parallax.exe.dll
Size

37KB
MD5

4a7bed74f3cf9646b8417195b5e6f4c6
SHA1

5fad487e6e1beb22f20abb653343a0dca8c73b1d
SHA256

353960d78bf700a0b4a0ea1d41df188f0cc0a3c5a178b73ac64aca01ee3fdb4d
SHA512

349a8c5723e0aaf25d743490deea913e5da439394d135e7a9691ffc5618d4bdc3220f06def639a4d611f94c77729471fa6b8c6eac600ba2495db95a95784d8e4

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

149.248.34.200:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Blocklisted process makes network request 58 IoCs

Processes:

rundll32.exe

flow	pid	process
15	2332	rundll32.exe
16	2332	rundll32.exe
18	2332	rundll32.exe
19	2332	rundll32.exe
20	2332	rundll32.exe
21	2332	rundll32.exe
22	2332	rundll32.exe
23	2332	rundll32.exe
24	2332	rundll32.exe
25	2332	rundll32.exe
26	2332	rundll32.exe
27	2332	rundll32.exe
28	2332	rundll32.exe
29	2332	rundll32.exe
30	2332	rundll32.exe
31	2332	rundll32.exe
33	2332	rundll32.exe
34	2332	rundll32.exe
35	2332	rundll32.exe
36	2332	rundll32.exe
37	2332	rundll32.exe
38	2332	rundll32.exe
39	2332	rundll32.exe
40	2332	rundll32.exe
41	2332	rundll32.exe
42	2332	rundll32.exe
43	2332	rundll32.exe
44	2332	rundll32.exe
45	2332	rundll32.exe
46	2332	rundll32.exe
47	2332	rundll32.exe
49	2332	rundll32.exe
50	2332	rundll32.exe
51	2332	rundll32.exe
52	2332	rundll32.exe
53	2332	rundll32.exe
54	2332	rundll32.exe
55	2332	rundll32.exe
56	2332	rundll32.exe
57	2332	rundll32.exe
58	2332	rundll32.exe
59	2332	rundll32.exe
60	2332	rundll32.exe
61	2332	rundll32.exe
62	2332	rundll32.exe
63	2332	rundll32.exe
64	2332	rundll32.exe
65	2332	rundll32.exe
66	2332	rundll32.exe
67	2332	rundll32.exe
68	2332	rundll32.exe
69	2332	rundll32.exe
70	2332	rundll32.exe
71	2332	rundll32.exe
72	2332	rundll32.exe
73	2332	rundll32.exe
74	2332	rundll32.exe
75	2332	rundll32.exe

Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 api.ipify.org
18 api.ipify.org
32 api.ipify.org
33 api.ipify.org
48 api.ipify.org
49 api.ipify.org
64 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
17	api.ipify.org
18	api.ipify.org
32	api.ipify.org
33	api.ipify.org
48	api.ipify.org
49	api.ipify.org
64	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3968 wrote to memory of 2332	3968	rundll32.exe	rundll32.exe
PID 3968 wrote to memory of 2332	3968	rundll32.exe	rundll32.exe
PID 3968 wrote to memory of 2332	3968	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3968

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\parallax.exe.dll,#1
2⤵
- Blocklisted process makes network request
PID:2332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2332-114-0x0000000000000000-mapping.dmp

Download
memory/2332-115-0x00000000031C0000-0x00000000031CA000-memory.dmp

Filesize
40KB

Download