systembc | c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a

General

Target

c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe
Size

96KB
MD5

a04c8b219c9cc54437b337b0f9efbf9b
SHA1

2f8c91d4074917f25be71102344d8415aa2b1756
SHA256

c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a
SHA512

0baf265384b689f2414b10e6628a5c84fae66728618954784944e176e202eff988a20f9e1fcb35b44f3df23c87dcbdddad9485d1d97975ff4f1515e8e547ac6b

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

23hfdne.com:4035

23hfdne.xyz:4035

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

akmtlc.exe

pid process

1732 akmtlc.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1732	akmtlc.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe

description	ioc	process
File created	C:\Windows\Tasks\akmtlc.job	c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe
File opened for modification	C:\Windows\Tasks\akmtlc.job	c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe

pid process

1928 c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe

pid	process
1928	c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2028 wrote to memory of 1732	2028	taskeng.exe	akmtlc.exe
PID 2028 wrote to memory of 1732	2028	taskeng.exe	akmtlc.exe
PID 2028 wrote to memory of 1732	2028	taskeng.exe	akmtlc.exe
PID 2028 wrote to memory of 1732	2028	taskeng.exe	akmtlc.exe

C:\Users\Admin\AppData\Local\Temp\c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe
"C:\Users\Admin\AppData\Local\Temp\c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1928

C:\Windows\system32\taskeng.exe
taskeng.exe {A56BFCCC-D31A-44CB-BE24-DE036B546AB5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\ProgramData\erwdtj\akmtlc.exe
C:\ProgramData\erwdtj\akmtlc.exe start
2⤵
- Executes dropped EXE
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\erwdtj\akmtlc.exe
Filesize
96KB

MD5
a04c8b219c9cc54437b337b0f9efbf9b

SHA1
2f8c91d4074917f25be71102344d8415aa2b1756

SHA256
c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a

SHA512
0baf265384b689f2414b10e6628a5c84fae66728618954784944e176e202eff988a20f9e1fcb35b44f3df23c87dcbdddad9485d1d97975ff4f1515e8e547ac6b

Download Submit
C:\ProgramData\erwdtj\akmtlc.exe
Filesize
96KB

MD5
a04c8b219c9cc54437b337b0f9efbf9b

SHA1
2f8c91d4074917f25be71102344d8415aa2b1756

SHA256
c51cf33451f5667a1a5ff3790cfe930580f00cbccbc8c7d19876c1048deed18a

SHA512
0baf265384b689f2414b10e6628a5c84fae66728618954784944e176e202eff988a20f9e1fcb35b44f3df23c87dcbdddad9485d1d97975ff4f1515e8e547ac6b

Download Submit
memory/1732-60-0x0000000000000000-mapping.dmp

Download
memory/1732-62-0x000000000093B000-0x0000000000942000-memory.dmp

Filesize
28KB

Download
memory/1732-64-0x000000000093B000-0x0000000000942000-memory.dmp

Filesize
28KB

Download
memory/1732-65-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1928-54-0x00000000005BB000-0x00000000005C2000-memory.dmp

Filesize
28KB

Download
memory/1928-55-0x0000000075941000-0x0000000075943000-memory.dmp

Filesize
8KB

Download
memory/1928-56-0x00000000005BB000-0x00000000005C2000-memory.dmp

Filesize
28KB

Download
memory/1928-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1928-58-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing