systembc | 934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790

General

Target

934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe
Size

90KB
MD5

6091938947f0a7196a622a0986000b7c
SHA1

c4fd87b56a47dc806689f585343b3ca3e4e552cd
SHA256

934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790
SHA512

0edc79e4dbba2751021b8cf935aa86d4ee441d79cf15a51647889ec0fdb01d46e314136e625fe394a1594bf45f6e50599a9736fa01d3b8f22a9a073b082e0402

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

lrkjb.exe

pid process

1308 lrkjb.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1308	lrkjb.exe

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe

description	ioc	process
File created	C:\Windows\Tasks\lrkjb.job	934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe
File opened for modification	C:\Windows\Tasks\lrkjb.job	934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe

pid process

1668 934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe

pid	process
1668	934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1164 wrote to memory of 1308	1164	taskeng.exe	lrkjb.exe
PID 1164 wrote to memory of 1308	1164	taskeng.exe	lrkjb.exe
PID 1164 wrote to memory of 1308	1164	taskeng.exe	lrkjb.exe
PID 1164 wrote to memory of 1308	1164	taskeng.exe	lrkjb.exe

C:\Users\Admin\AppData\Local\Temp\934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe
"C:\Users\Admin\AppData\Local\Temp\934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {87B02619-8EA4-4DC3-83B3-5B5CBB23499A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\ProgramData\ocnsnr\lrkjb.exe
C:\ProgramData\ocnsnr\lrkjb.exe start
2⤵
- Executes dropped EXE
PID:1308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ocnsnr\lrkjb.exe
Filesize
90KB

MD5
6091938947f0a7196a622a0986000b7c

SHA1
c4fd87b56a47dc806689f585343b3ca3e4e552cd

SHA256
934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790

SHA512
0edc79e4dbba2751021b8cf935aa86d4ee441d79cf15a51647889ec0fdb01d46e314136e625fe394a1594bf45f6e50599a9736fa01d3b8f22a9a073b082e0402

Download Submit
C:\ProgramData\ocnsnr\lrkjb.exe
Filesize
90KB

MD5
6091938947f0a7196a622a0986000b7c

SHA1
c4fd87b56a47dc806689f585343b3ca3e4e552cd

SHA256
934e82163e404f59441c8c73ce0c46f7fa2a971f14dbefb33cd3132496dca790

SHA512
0edc79e4dbba2751021b8cf935aa86d4ee441d79cf15a51647889ec0fdb01d46e314136e625fe394a1594bf45f6e50599a9736fa01d3b8f22a9a073b082e0402

Download Submit
memory/1308-60-0x0000000000000000-mapping.dmp

Download
memory/1308-62-0x000000000318B000-0x0000000003192000-memory.dmp

Filesize
28KB

Download
memory/1308-64-0x000000000318B000-0x0000000003192000-memory.dmp

Filesize
28KB

Download
memory/1308-65-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/1668-54-0x000000000306B000-0x0000000003072000-memory.dmp

Filesize
28KB

Download
memory/1668-55-0x00000000764C1000-0x00000000764C3000-memory.dmp

Filesize
8KB

Download
memory/1668-56-0x000000000306B000-0x0000000003072000-memory.dmp

Filesize
28KB

Download
memory/1668-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1668-58-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download

Analysis

Sharing