systembc | 6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42

General

Target

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
Size

276KB
MD5

822285256eafa07724fd29f8e85c759e
SHA1

5da5dc2c1be087ce6046f6903a6c773b28a3b6cf
SHA256

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42
SHA512

4d93d7250dc210fff4d54802253d98f5f868f4a273b0a83207a77617657c2ccc7748c9b6743096c7a9bffa9a24221f014d83986f2b6e7751754bf090b4a6a9a0

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

xtsrir.exe

pid process

1988 xtsrir.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 ip4.seeip.org
9 ip4.seeip.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1988	xtsrir.exe

flow	ioc
7	api.ipify.org
8	ip4.seeip.org
9	ip4.seeip.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

description	ioc	process
File created	C:\Windows\Tasks\xtsrir.job	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
File opened for modification	C:\Windows\Tasks\xtsrir.job	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

pid process

1836 6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

pid	process
1836	6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1844 wrote to memory of 1988	1844	taskeng.exe	xtsrir.exe
PID 1844 wrote to memory of 1988	1844	taskeng.exe	xtsrir.exe
PID 1844 wrote to memory of 1988	1844	taskeng.exe	xtsrir.exe
PID 1844 wrote to memory of 1988	1844	taskeng.exe	xtsrir.exe

C:\Users\Admin\AppData\Local\Temp\6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe
"C:\Users\Admin\AppData\Local\Temp\6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1836

C:\Windows\system32\taskeng.exe
taskeng.exe {38E904A7-8EB4-4E90-9AA4-93DD47988C3C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\ProgramData\uccfia\xtsrir.exe
  C:\ProgramData\uccfia\xtsrir.exe start
  2⤵
  - Executes dropped EXE
  PID:1988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uccfia\xtsrir.exe

MD5
822285256eafa07724fd29f8e85c759e

SHA1
5da5dc2c1be087ce6046f6903a6c773b28a3b6cf

SHA256
6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42

SHA512
4d93d7250dc210fff4d54802253d98f5f868f4a273b0a83207a77617657c2ccc7748c9b6743096c7a9bffa9a24221f014d83986f2b6e7751754bf090b4a6a9a0

Download Submit
C:\ProgramData\uccfia\xtsrir.exe

MD5
822285256eafa07724fd29f8e85c759e

SHA1
5da5dc2c1be087ce6046f6903a6c773b28a3b6cf

SHA256
6cbce4db4d81c67bdf8a077e493fe2ac29c07774baa33def3389c139ddef5e42

SHA512
4d93d7250dc210fff4d54802253d98f5f868f4a273b0a83207a77617657c2ccc7748c9b6743096c7a9bffa9a24221f014d83986f2b6e7751754bf090b4a6a9a0

Download Submit
memory/1836-54-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/1836-55-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/1836-56-0x0000000075C41000-0x0000000075C43000-memory.dmp

Filesize
8KB

Download
memory/1836-57-0x0000000000400000-0x00000000046C4000-memory.dmp

Filesize
66.8MB

Download
memory/1988-59-0x0000000000000000-mapping.dmp

Download
memory/1988-62-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1988-63-0x0000000000400000-0x00000000046C4000-memory.dmp

Filesize
66.8MB

Download

Analysis

Sharing