systembc | b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9

General

Target

b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
Size

375KB
MD5

8ceb7cb380ad45d1264ffb75ad6363e1
SHA1

18311e80325eb3bce7f7d8197d5320c360fe42fd
SHA256

b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9
SHA512

f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

26asdcgd.com:4039

26asdcgd.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

nqom.exe

pid process

3528 nqom.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
23 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
3528	nqom.exe

flow	ioc
22	api.ipify.org
23	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe

description	ioc	process
File created	C:\Windows\Tasks\nqom.job	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
File opened for modification	C:\Windows\Tasks\nqom.job	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1336	3528	WerFault.exe	nqom.exe
264	3528	WerFault.exe	nqom.exe
2988	1312	WerFault.exe	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
1320	1312	WerFault.exe	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
2148	3528	WerFault.exe	nqom.exe
4604	3528	WerFault.exe	nqom.exe
4288	1312	WerFault.exe	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
3868	3528	WerFault.exe	nqom.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe

pid	process
1312	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
1312	b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe

C:\Users\Admin\AppData\Local\Temp\b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe
"C:\Users\Admin\AppData\Local\Temp\b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 964
2⤵
- Program crash
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 976
2⤵
- Program crash
PID:1320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 484
2⤵
- Program crash
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1312 -ip 1312
1⤵
PID:4444

C:\ProgramData\vhlg\nqom.exe
C:\ProgramData\vhlg\nqom.exe start
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 184
2⤵
- Program crash
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 584
2⤵
- Program crash
PID:264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 584
2⤵
- Program crash
PID:2148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 492
2⤵
- Program crash
PID:4604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 892
2⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3528 -ip 3528
1⤵
PID:4612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3528 -ip 3528
1⤵
PID:312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1312 -ip 1312
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 1312 -ip 1312
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3528 -ip 3528
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3528 -ip 3528
1⤵
PID:1664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1312 -ip 1312
1⤵
PID:3516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3528 -ip 3528
1⤵
PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vhlg\nqom.exe
Filesize
375KB

MD5
8ceb7cb380ad45d1264ffb75ad6363e1

SHA1
18311e80325eb3bce7f7d8197d5320c360fe42fd

SHA256
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9

SHA512
f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960

Download Submit
C:\ProgramData\vhlg\nqom.exe
Filesize
375KB

MD5
8ceb7cb380ad45d1264ffb75ad6363e1

SHA1
18311e80325eb3bce7f7d8197d5320c360fe42fd

SHA256
b403730c8a4eb00c33d4cd564835b15d765f8978b30d6578b2350e5a7dedb2b9

SHA512
f328de68f70d265f73a044a620dc549b2c02481c10d0a377e0cb8fd890e6fe5fb5fbd77ea45075ab2476407580beeac66b13c1a77cb0e0947b65574dec7be960

Download Submit
memory/1312-130-0x00000000023C7000-0x00000000023CE000-memory.dmp

Filesize
28KB

Download
memory/1312-131-0x0000000004050000-0x0000000004059000-memory.dmp

Filesize
36KB

Download
memory/1312-132-0x0000000000400000-0x000000000231A000-memory.dmp

Filesize
31.1MB

Download
memory/3528-135-0x0000000002352000-0x0000000002359000-memory.dmp

Filesize
28KB

Download
memory/3528-136-0x0000000002490000-0x0000000002499000-memory.dmp

Filesize
36KB

Download
memory/3528-137-0x0000000000400000-0x000000000231A000-memory.dmp

Filesize
31.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads