Analysis
-
max time kernel
80s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 12:57
Static task
static1
Behavioral task
behavioral1
Sample
systembc.exe.dll
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
General
-
Target
systembc.exe.dll
-
Size
37KB
-
MD5
8fa05b4bb735337625a1a0bc8c1e643c
-
SHA1
7628c5da3383690e548bbc24317c5d7bbb168def
-
SHA256
39e7c94d3d5e7b7b316d87d61daea6ac78f47ebeb6fce586322e6e645db5e5e3
-
SHA512
e3aa1ca9086e4464f3876de3ddf2ee7b118470ec7c0e783e9e329b281316b16b63f858e646eb69ba97e3f9fffabe6a4f1c6ba20d5e10862c8bfc7fc2d876edb1
Malware Config
Extracted
Family
systembc
C2
149.248.34.200:4001
Signatures
-
Blocklisted process makes network request 29 IoCs
Processes:
rundll32.exeflow pid process 14 2292 rundll32.exe 15 2292 rundll32.exe 17 2292 rundll32.exe 18 2292 rundll32.exe 19 2292 rundll32.exe 20 2292 rundll32.exe 21 2292 rundll32.exe 22 2292 rundll32.exe 23 2292 rundll32.exe 24 2292 rundll32.exe 25 2292 rundll32.exe 26 2292 rundll32.exe 27 2292 rundll32.exe 28 2292 rundll32.exe 29 2292 rundll32.exe 30 2292 rundll32.exe 31 2292 rundll32.exe 32 2292 rundll32.exe 33 2292 rundll32.exe 34 2292 rundll32.exe 35 2292 rundll32.exe 36 2292 rundll32.exe 37 2292 rundll32.exe 38 2292 rundll32.exe 39 2292 rundll32.exe 40 2292 rundll32.exe 41 2292 rundll32.exe 42 2292 rundll32.exe 43 2292 rundll32.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 api.ipify.org 17 api.ipify.org 32 api.ipify.org -
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 3424 wrote to memory of 2292 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 2292 3424 rundll32.exe rundll32.exe PID 3424 wrote to memory of 2292 3424 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\systembc.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\systembc.exe.dll,#12⤵
- Blocklisted process makes network request