systembc | 39e7c94d3d5e7b7b316d87d61daea6ac78f47ebeb6fce586322e6e645db5e5e3

Analysis

max time kernel
80s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
21-07-2021 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

systembc.exe.dll
Size

37KB
MD5

8fa05b4bb735337625a1a0bc8c1e643c
SHA1

7628c5da3383690e548bbc24317c5d7bbb168def
SHA256

39e7c94d3d5e7b7b316d87d61daea6ac78f47ebeb6fce586322e6e645db5e5e3
SHA512

e3aa1ca9086e4464f3876de3ddf2ee7b118470ec7c0e783e9e329b281316b16b63f858e646eb69ba97e3f9fffabe6a4f1c6ba20d5e10862c8bfc7fc2d876edb1

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

149.248.34.200:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Blocklisted process makes network request 29 IoCs

Processes:

rundll32.exe

flow	pid	process
14	2292	rundll32.exe
15	2292	rundll32.exe
17	2292	rundll32.exe
18	2292	rundll32.exe
19	2292	rundll32.exe
20	2292	rundll32.exe
21	2292	rundll32.exe
22	2292	rundll32.exe
23	2292	rundll32.exe
24	2292	rundll32.exe
25	2292	rundll32.exe
26	2292	rundll32.exe
27	2292	rundll32.exe
28	2292	rundll32.exe
29	2292	rundll32.exe
30	2292	rundll32.exe
31	2292	rundll32.exe
32	2292	rundll32.exe
33	2292	rundll32.exe
34	2292	rundll32.exe
35	2292	rundll32.exe
36	2292	rundll32.exe
37	2292	rundll32.exe
38	2292	rundll32.exe
39	2292	rundll32.exe
40	2292	rundll32.exe
41	2292	rundll32.exe
42	2292	rundll32.exe
43	2292	rundll32.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 api.ipify.org
17 api.ipify.org
32 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
16	api.ipify.org
17	api.ipify.org
32	api.ipify.org

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 3424 wrote to memory of 2292	3424	rundll32.exe	rundll32.exe
PID 3424 wrote to memory of 2292	3424	rundll32.exe	rundll32.exe
PID 3424 wrote to memory of 2292	3424	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\systembc.exe.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\systembc.exe.dll,#1
2⤵
- Blocklisted process makes network request
PID:2292

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2292-114-0x0000000000000000-mapping.dmp

Download
memory/2292-116-0x0000000003370000-0x000000000337A000-memory.dmp

Filesize
40KB

Download