systembc | 17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55

General

Target

17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe
Size

90KB
MD5

50b7c39b62eed16c581f6f2d8b7f65fe
SHA1

462a4116dacd8e41e07a97c2e034653deba7eaba
SHA256

17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55
SHA512

b4e5f2ae8bae802fb9b0c1dd1ca5f1e62516927a28d5bf7921b9e7e2f0e91a1605b5cd359a51226a166f6df5caddb04f2cc155a2b7751411e5740e14fcefe7d9

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

23hfdne.com:4035

23hfdne.xyz:4035

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

cbkaw.exe

pid process

1392 cbkaw.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1392	cbkaw.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe

description	ioc	process
File created	C:\Windows\Tasks\cbkaw.job	17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe
File opened for modification	C:\Windows\Tasks\cbkaw.job	17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe

pid process

1972 17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe

pid	process
1972	17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 620 wrote to memory of 1392	620	taskeng.exe	cbkaw.exe
PID 620 wrote to memory of 1392	620	taskeng.exe	cbkaw.exe
PID 620 wrote to memory of 1392	620	taskeng.exe	cbkaw.exe
PID 620 wrote to memory of 1392	620	taskeng.exe	cbkaw.exe

C:\Users\Admin\AppData\Local\Temp\17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe
"C:\Users\Admin\AppData\Local\Temp\17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\system32\taskeng.exe
taskeng.exe {6FF2F842-31EF-41E2-86F9-3F49B95C12E9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\ProgramData\xgsgfrb\cbkaw.exe
  C:\ProgramData\xgsgfrb\cbkaw.exe start
  2⤵
  - Executes dropped EXE
  PID:1392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xgsgfrb\cbkaw.exe

Filesize
90KB

MD5
50b7c39b62eed16c581f6f2d8b7f65fe

SHA1
462a4116dacd8e41e07a97c2e034653deba7eaba

SHA256
17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55

SHA512
b4e5f2ae8bae802fb9b0c1dd1ca5f1e62516927a28d5bf7921b9e7e2f0e91a1605b5cd359a51226a166f6df5caddb04f2cc155a2b7751411e5740e14fcefe7d9

Download Submit
C:\ProgramData\xgsgfrb\cbkaw.exe

Filesize
90KB

MD5
50b7c39b62eed16c581f6f2d8b7f65fe

SHA1
462a4116dacd8e41e07a97c2e034653deba7eaba

SHA256
17afe1971ecfe1ba3fb63253a5aa773106ce132395d70e92f9f2227d85cd9c55

SHA512
b4e5f2ae8bae802fb9b0c1dd1ca5f1e62516927a28d5bf7921b9e7e2f0e91a1605b5cd359a51226a166f6df5caddb04f2cc155a2b7751411e5740e14fcefe7d9

Download Submit
memory/1392-60-0x0000000000000000-mapping.dmp

Download
memory/1392-62-0x00000000006AB000-0x00000000006B2000-memory.dmp

Filesize
28KB

Download
memory/1392-64-0x00000000006AB000-0x00000000006B2000-memory.dmp

Filesize
28KB

Download
memory/1392-65-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/1972-54-0x00000000006CB000-0x00000000006D2000-memory.dmp

Filesize
28KB

Download
memory/1972-55-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1972-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1972-56-0x00000000006CB000-0x00000000006D2000-memory.dmp

Filesize
28KB

Download
memory/1972-58-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download

Analysis

Sharing