systembc | ecdcff5459c84b727f0e89ecf20e4173c13cf45da842a5a3f89eef97b469f6d8

General

Target

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
Size

148KB
MD5

a6bb96f7c9972db7d27a415742d57a88
SHA1

d8e3c322e66d714db5a947ea0804f112f7971734
SHA256

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb
SHA512

e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

mxblogs19.xyz:4044

sdadvert20.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

bgcw.exe

pid process

1320 bgcw.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1320	bgcw.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

description	ioc	process
File created	C:\Windows\Tasks\bgcw.job	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
File opened for modification	C:\Windows\Tasks\bgcw.job	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

pid process

320 25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

pid	process
320	25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1484 wrote to memory of 1320	1484	taskeng.exe	bgcw.exe
PID 1484 wrote to memory of 1320	1484	taskeng.exe	bgcw.exe
PID 1484 wrote to memory of 1320	1484	taskeng.exe	bgcw.exe
PID 1484 wrote to memory of 1320	1484	taskeng.exe	bgcw.exe

C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe
"C:\Users\Admin\AppData\Local\Temp\25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:320

C:\Windows\system32\taskeng.exe
taskeng.exe {A8D5BFAA-37B1-4E8D-A792-A33C0000BA57} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\ProgramData\jsmrk\bgcw.exe
  C:\ProgramData\jsmrk\bgcw.exe start
  2⤵
  - Executes dropped EXE
  PID:1320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jsmrk\bgcw.exe

MD5
a6bb96f7c9972db7d27a415742d57a88

SHA1
d8e3c322e66d714db5a947ea0804f112f7971734

SHA256
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

SHA512
e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Download Submit
C:\ProgramData\jsmrk\bgcw.exe

MD5
a6bb96f7c9972db7d27a415742d57a88

SHA1
d8e3c322e66d714db5a947ea0804f112f7971734

SHA256
25e6923418ede3293afad2e318e302f1249323c56cbfed23c9586a7e7c1996fb

SHA512
e40fcf73f5ff1e86214d369dcd5ebc1735dba9ac5ea95a0b357fc8935061274858e9f6fd9dbf1dc9b2224424c4eebd6c79d81551ddbc78bb96371c0c903aa3ca

Download Submit
memory/320-55-0x000000000030A000-0x0000000000310000-memory.dmp

Filesize
24KB

Download
memory/320-56-0x0000000076A21000-0x0000000076A23000-memory.dmp

Filesize
8KB

Download
memory/320-57-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/320-58-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download
memory/1320-60-0x0000000000000000-mapping.dmp

Download
memory/1320-62-0x00000000033E9000-0x00000000033F0000-memory.dmp

Filesize
28KB

Download
memory/1320-64-0x0000000000400000-0x0000000003269000-memory.dmp

Filesize
46.4MB

Download

Analysis

Sharing