systembc | e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76

General

Target

e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe
Size

156KB
MD5

53dea6ee1aeb6e0b102803c43b177967
SHA1

76ae52abaaa31d8f946a1888d33b8cf08f100c8b
SHA256

e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76
SHA512

815dda2786dab4d05cc53084f9a3b04c9d3256b764d6f16bde2ef1ab7b228e08f7ddd3f417c1eacac7f9fab6a4208e7d0c8504083ccc6fa14c71ea102585825e

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

scjn.exe

pid process

1200 scjn.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1200	scjn.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe

description	ioc	process
File created	C:\Windows\Tasks\scjn.job	e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe
File opened for modification	C:\Windows\Tasks\scjn.job	e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe

pid process

2032 e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe

pid	process
2032	e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1540 wrote to memory of 1200	1540	taskeng.exe	scjn.exe
PID 1540 wrote to memory of 1200	1540	taskeng.exe	scjn.exe
PID 1540 wrote to memory of 1200	1540	taskeng.exe	scjn.exe
PID 1540 wrote to memory of 1200	1540	taskeng.exe	scjn.exe

C:\Users\Admin\AppData\Local\Temp\e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe
"C:\Users\Admin\AppData\Local\Temp\e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\system32\taskeng.exe
taskeng.exe {8CF5CBD8-05B5-4F1E-9489-5E4E1273EE80} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\ProgramData\wqhsf\scjn.exe
C:\ProgramData\wqhsf\scjn.exe start
2⤵
- Executes dropped EXE
PID:1200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wqhsf\scjn.exe
Filesize
156KB

MD5
53dea6ee1aeb6e0b102803c43b177967

SHA1
76ae52abaaa31d8f946a1888d33b8cf08f100c8b

SHA256
e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76

SHA512
815dda2786dab4d05cc53084f9a3b04c9d3256b764d6f16bde2ef1ab7b228e08f7ddd3f417c1eacac7f9fab6a4208e7d0c8504083ccc6fa14c71ea102585825e

Download Submit
C:\ProgramData\wqhsf\scjn.exe
Filesize
156KB

MD5
53dea6ee1aeb6e0b102803c43b177967

SHA1
76ae52abaaa31d8f946a1888d33b8cf08f100c8b

SHA256
e9feac3695a81a71ede3b7b768869a336403251fd00333a6ea4d0265f90d2e76

SHA512
815dda2786dab4d05cc53084f9a3b04c9d3256b764d6f16bde2ef1ab7b228e08f7ddd3f417c1eacac7f9fab6a4208e7d0c8504083ccc6fa14c71ea102585825e

Download Submit
memory/1200-60-0x0000000000000000-mapping.dmp

Download
memory/1200-62-0x0000000000A8B000-0x0000000000A92000-memory.dmp

Filesize
28KB

Download
memory/1200-64-0x0000000000A8B000-0x0000000000A92000-memory.dmp

Filesize
28KB

Download
memory/1200-65-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download
memory/2032-54-0x000000000026B000-0x0000000000272000-memory.dmp

Filesize
28KB

Download
memory/2032-55-0x00000000761D1000-0x00000000761D3000-memory.dmp

Filesize
8KB

Download
memory/2032-57-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/2032-56-0x000000000026B000-0x0000000000272000-memory.dmp

Filesize
28KB

Download
memory/2032-58-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing