systembc | 776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2

General

Target

776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe
Size

359KB
MD5

e7257f950392e2d066876e0f2c0f4edc
SHA1

85d70a406fec548e52086ea5da1c7d106be5c2c9
SHA256

776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2
SHA512

885a33de76be19e876299a7e030e80ce734065d2bf46a0cea2900ea706197e6abf898ee24929e26040748a0fd1be53ae96d891b76051cce56f7bd34cb2e7690d

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

172.105.196.152:4114

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

acigpuq.exe

pid process

836 acigpuq.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
6 ip4.seeip.org
7 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
836	acigpuq.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip4.seeip.org
7	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe

description	ioc	process
File created	C:\Windows\Tasks\acigpuq.job	776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe
File opened for modification	C:\Windows\Tasks\acigpuq.job	776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe

pid process

1888 776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe

pid	process
1888	776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1792 wrote to memory of 836	1792	taskeng.exe	acigpuq.exe
PID 1792 wrote to memory of 836	1792	taskeng.exe	acigpuq.exe
PID 1792 wrote to memory of 836	1792	taskeng.exe	acigpuq.exe
PID 1792 wrote to memory of 836	1792	taskeng.exe	acigpuq.exe

C:\Users\Admin\AppData\Local\Temp\776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe
"C:\Users\Admin\AppData\Local\Temp\776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1888

C:\Windows\system32\taskeng.exe
taskeng.exe {40072479-D7B0-4B8B-A6A7-47DCD3BCF103} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\ProgramData\kekvrnd\acigpuq.exe
  C:\ProgramData\kekvrnd\acigpuq.exe start
  2⤵
  - Executes dropped EXE
  PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kekvrnd\acigpuq.exe

MD5
e7257f950392e2d066876e0f2c0f4edc

SHA1
85d70a406fec548e52086ea5da1c7d106be5c2c9

SHA256
776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2

SHA512
885a33de76be19e876299a7e030e80ce734065d2bf46a0cea2900ea706197e6abf898ee24929e26040748a0fd1be53ae96d891b76051cce56f7bd34cb2e7690d

Download Submit
C:\ProgramData\kekvrnd\acigpuq.exe

MD5
e7257f950392e2d066876e0f2c0f4edc

SHA1
85d70a406fec548e52086ea5da1c7d106be5c2c9

SHA256
776dea13d3659a794cea95d8df98ef04d467959bf77358dba1ec06fb80a24bc2

SHA512
885a33de76be19e876299a7e030e80ce734065d2bf46a0cea2900ea706197e6abf898ee24929e26040748a0fd1be53ae96d891b76051cce56f7bd34cb2e7690d

Download Submit
memory/836-59-0x0000000000000000-mapping.dmp

Download
memory/836-63-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/836-64-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1888-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1888-55-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download
memory/1888-56-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1888-57-0x0000000000400000-0x000000000055A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing