systembc | d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8

General

Target

d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe
Size

140KB
MD5

7200a81b9e2065e853734078a4402d03
SHA1

10164b6200c431f33595dff706fe6d2ab12323fb
SHA256

d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8
SHA512

e4e5b73d9b2831a750d9018383599b8fbde21d207596e9203e196143d05e0c2e32b7425d62c5f6bc27fc7e912659a394e29d5eab7c2d5e4f1e597f7d79c34529

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

rknkwum.exe

pid process

1216 rknkwum.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
6 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1216	rknkwum.exe

flow	ioc
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org
6	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\rknkwum.job	d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe
File created	C:\Windows\Tasks\rknkwum.job	d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe

pid process

1616 d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe

pid	process
1616	d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 960 wrote to memory of 1216	960	taskeng.exe	rknkwum.exe
PID 960 wrote to memory of 1216	960	taskeng.exe	rknkwum.exe
PID 960 wrote to memory of 1216	960	taskeng.exe	rknkwum.exe
PID 960 wrote to memory of 1216	960	taskeng.exe	rknkwum.exe

C:\Users\Admin\AppData\Local\Temp\d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe
"C:\Users\Admin\AppData\Local\Temp\d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {D3D4CE93-E431-4387-85CA-71A0017C4584} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\ProgramData\gpkx\rknkwum.exe
C:\ProgramData\gpkx\rknkwum.exe start
2⤵
- Executes dropped EXE
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gpkx\rknkwum.exe
Filesize
140KB

MD5
7200a81b9e2065e853734078a4402d03

SHA1
10164b6200c431f33595dff706fe6d2ab12323fb

SHA256
d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8

SHA512
e4e5b73d9b2831a750d9018383599b8fbde21d207596e9203e196143d05e0c2e32b7425d62c5f6bc27fc7e912659a394e29d5eab7c2d5e4f1e597f7d79c34529

Download Submit
C:\ProgramData\gpkx\rknkwum.exe
Filesize
140KB

MD5
7200a81b9e2065e853734078a4402d03

SHA1
10164b6200c431f33595dff706fe6d2ab12323fb

SHA256
d5d72184ddca524ef2b1c074e50a90a6e241cc0be01f7e5625979a693a6ee1e8

SHA512
e4e5b73d9b2831a750d9018383599b8fbde21d207596e9203e196143d05e0c2e32b7425d62c5f6bc27fc7e912659a394e29d5eab7c2d5e4f1e597f7d79c34529

Download Submit
memory/1216-60-0x0000000000000000-mapping.dmp

Download
memory/1216-62-0x00000000030DB000-0x00000000030E2000-memory.dmp

Filesize
28KB

Download
memory/1216-64-0x00000000030DB000-0x00000000030E2000-memory.dmp

Filesize
28KB

Download
memory/1216-65-0x0000000000400000-0x0000000002FAF000-memory.dmp

Filesize
43.7MB

Download
memory/1616-54-0x000000000314B000-0x0000000003152000-memory.dmp

Filesize
28KB

Download
memory/1616-55-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1616-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1616-56-0x000000000314B000-0x0000000003152000-memory.dmp

Filesize
28KB

Download
memory/1616-58-0x0000000000400000-0x0000000002FAF000-memory.dmp

Filesize
43.7MB

Download

Analysis

Sharing