systembc | e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8

General

Target

e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
Size

356KB
MD5

c851a0d3a2cb3e759e85d73f48437fe1
SHA1

3210b9c823d8c1d75f2770884abc1c675db8081b
SHA256

e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8
SHA512

a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

hkug.exe

pid process

1716 hkug.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1716	hkug.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe

description	ioc	process
File created	C:\Windows\Tasks\hkug.job	e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
File opened for modification	C:\Windows\Tasks\hkug.job	e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe

pid process

1520 e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe

pid	process
1520	e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 960 wrote to memory of 1716	960	taskeng.exe	hkug.exe
PID 960 wrote to memory of 1716	960	taskeng.exe	hkug.exe
PID 960 wrote to memory of 1716	960	taskeng.exe	hkug.exe
PID 960 wrote to memory of 1716	960	taskeng.exe	hkug.exe

C:\Users\Admin\AppData\Local\Temp\e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe
"C:\Users\Admin\AppData\Local\Temp\e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1520

C:\Windows\system32\taskeng.exe
taskeng.exe {76699236-F41B-471E-AEE6-27221BE7FFA3} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\ProgramData\jhma\hkug.exe
C:\ProgramData\jhma\hkug.exe start
2⤵
- Executes dropped EXE
PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jhma\hkug.exe
Filesize
356KB

MD5
c851a0d3a2cb3e759e85d73f48437fe1

SHA1
3210b9c823d8c1d75f2770884abc1c675db8081b

SHA256
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8

SHA512
a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0

Download Submit
C:\ProgramData\jhma\hkug.exe
Filesize
356KB

MD5
c851a0d3a2cb3e759e85d73f48437fe1

SHA1
3210b9c823d8c1d75f2770884abc1c675db8081b

SHA256
e813bbd838ee06d2af4c0ac30a87f040f763abc993c6139aa830c37d1a0310e8

SHA512
a3b42489df794cffe8b539199dcfcb18dead5d820c6325f0e75cdd40abe6e67309c6980a8667da6905b0aa6dc000306c8a778ce125c5e4b54f0036e95983a9a0

Download Submit
memory/1520-54-0x0000000000D69000-0x0000000000D6F000-memory.dmp

Filesize
24KB

Download
memory/1520-55-0x0000000000D69000-0x0000000000D6F000-memory.dmp

Filesize
24KB

Download
memory/1520-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1520-57-0x0000000076451000-0x0000000076453000-memory.dmp

Filesize
8KB

Download
memory/1520-58-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download
memory/1716-60-0x0000000000000000-mapping.dmp

Download
memory/1716-62-0x0000000000D69000-0x0000000000D6F000-memory.dmp

Filesize
24KB

Download
memory/1716-65-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1716-64-0x0000000000D69000-0x0000000000D6F000-memory.dmp

Filesize
24KB

Download
memory/1716-66-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing