systembc | 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0

General

Target

8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe
Size

233KB
MD5

cc16e6e7af14fcf5f4a001b85930dc8f
SHA1

580b5baff09663396fb27d52e43a58ef25ed43dd
SHA256

8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0
SHA512

c451ec2e3056086842b52e8105a04a67a50609d1e8a7c296e7171432ccc5572c62e69b1edb8d6e600ddb451240847ba4d8621452ea99e98036978cc3712274d9

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

C2

dec15coma.com:4039

dec15coma.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

foiu.exe

pid process

1832 foiu.exe

pid	process
1832	foiu.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\mfwgf\foiu.exe	upx
C:\ProgramData\mfwgf\foiu.exe	upx

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe

description	ioc	process
File created	C:\Windows\Tasks\foiu.job	8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe
File opened for modification	C:\Windows\Tasks\foiu.job	8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe

pid process

1356 8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe

pid	process
1356	8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1796 wrote to memory of 1832	1796	taskeng.exe	foiu.exe
PID 1796 wrote to memory of 1832	1796	taskeng.exe	foiu.exe
PID 1796 wrote to memory of 1832	1796	taskeng.exe	foiu.exe
PID 1796 wrote to memory of 1832	1796	taskeng.exe	foiu.exe

C:\Users\Admin\AppData\Local\Temp\8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe
"C:\Users\Admin\AppData\Local\Temp\8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Windows\system32\taskeng.exe
taskeng.exe {BA8D48AE-A88A-4CC0-9358-961CE05B99A8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1796
- C:\ProgramData\mfwgf\foiu.exe
  C:\ProgramData\mfwgf\foiu.exe start
  2⤵
  - Executes dropped EXE
  PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mfwgf\foiu.exe

MD5
cc16e6e7af14fcf5f4a001b85930dc8f

SHA1
580b5baff09663396fb27d52e43a58ef25ed43dd

SHA256
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0

SHA512
c451ec2e3056086842b52e8105a04a67a50609d1e8a7c296e7171432ccc5572c62e69b1edb8d6e600ddb451240847ba4d8621452ea99e98036978cc3712274d9

Download Submit
C:\ProgramData\mfwgf\foiu.exe

MD5
cc16e6e7af14fcf5f4a001b85930dc8f

SHA1
580b5baff09663396fb27d52e43a58ef25ed43dd

SHA256
8e6dd1a50d58aef4a86f76c340f6a36faee0ec4f97886978d43a870be5b508f0

SHA512
c451ec2e3056086842b52e8105a04a67a50609d1e8a7c296e7171432ccc5572c62e69b1edb8d6e600ddb451240847ba4d8621452ea99e98036978cc3712274d9

Download Submit
memory/1356-54-0x0000000005229000-0x000000000522F000-memory.dmp

Filesize
24KB

Download
memory/1356-55-0x0000000075D31000-0x0000000075D33000-memory.dmp

Filesize
8KB

Download
memory/1356-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1356-56-0x0000000005229000-0x000000000522F000-memory.dmp

Filesize
24KB

Download
memory/1356-58-0x0000000000400000-0x0000000005163000-memory.dmp

Filesize
77.4MB

Download
memory/1832-61-0x00000000052F8000-0x00000000052FF000-memory.dmp

Filesize
28KB

Download
memory/1832-63-0x00000000052F8000-0x00000000052FF000-memory.dmp

Filesize
28KB

Download
memory/1832-64-0x0000000000400000-0x0000000005163000-memory.dmp

Filesize
77.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads