systembc | eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced

General

Target

eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
Size

234KB
MD5

226ee1dec8ea871161b64020b2ee8663
SHA1

0866413ef90e37186ff269d1270e57c2b50f6b2f
SHA256

eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced
SHA512

c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

C2

dec15coma.com:4039

dec15coma.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

dtwj.exe

pid process

3616 dtwj.exe

pid	process
3616	dtwj.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\vamavsq\dtwj.exe	upx
C:\ProgramData\vamavsq\dtwj.exe	upx

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 api.ipify.org
16 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
15	api.ipify.org
16	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\dtwj.job	eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
File created	C:\Windows\Tasks\dtwj.job	eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2652 2124 WerFault.exe eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe

pid	pid_target	process	target process
2652	2124	WerFault.exe	eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe

pid	process
2124	eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
2124	eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe

C:\Users\Admin\AppData\Local\Temp\eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe
"C:\Users\Admin\AppData\Local\Temp\eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 952
2⤵
- Program crash
PID:2652

C:\ProgramData\vamavsq\dtwj.exe
C:\ProgramData\vamavsq\dtwj.exe start
1⤵
- Executes dropped EXE
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2124 -ip 2124
1⤵
PID:2956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vamavsq\dtwj.exe
MD5
226ee1dec8ea871161b64020b2ee8663

SHA1
0866413ef90e37186ff269d1270e57c2b50f6b2f

SHA256
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced

SHA512
c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d

Download Submit
C:\ProgramData\vamavsq\dtwj.exe
MD5
226ee1dec8ea871161b64020b2ee8663

SHA1
0866413ef90e37186ff269d1270e57c2b50f6b2f

SHA256
eeb70157878895f60fe11a8cb0f37907549cd44857592d7ee0a769a9eef9dced

SHA512
c5d8eff81783afae5f6de0e8aeb0586ca7af086ee99c6fcff87867730cb36f6a4c067bc82a2c32e6a10fff1d24c93a57931270d2df4c33d317965499cb7f651d

Download Submit
memory/2124-130-0x00000000051C2000-0x00000000051C9000-memory.dmp

Filesize
28KB

Download
memory/2124-131-0x00000000051C2000-0x00000000051C9000-memory.dmp

Filesize
28KB

Download
memory/2124-132-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2124-133-0x0000000000400000-0x0000000005163000-memory.dmp

Filesize
77.4MB

Download
memory/3616-136-0x00000000051CD000-0x00000000051D4000-memory.dmp

Filesize
28KB

Download
memory/3616-137-0x00000000051CD000-0x00000000051D4000-memory.dmp

Filesize
28KB

Download
memory/3616-138-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3616-139-0x0000000000400000-0x0000000005163000-memory.dmp

Filesize
77.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads