systembc | 2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec

General

Target

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
Size

357KB
MD5

6adff82e37aadb238d58699f857e5f8b
SHA1

f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d
SHA256

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec
SHA512

e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ossfh.exe

pid process

1720 ossfh.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1720	ossfh.exe

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

description	ioc	process
File created	C:\Windows\Tasks\ossfh.job	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
File opened for modification	C:\Windows\Tasks\ossfh.job	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

pid process

1080 2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

pid	process
1080	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 908 wrote to memory of 1720	908	taskeng.exe	ossfh.exe
PID 908 wrote to memory of 1720	908	taskeng.exe	ossfh.exe
PID 908 wrote to memory of 1720	908	taskeng.exe	ossfh.exe
PID 908 wrote to memory of 1720	908	taskeng.exe	ossfh.exe

C:\Users\Admin\AppData\Local\Temp\2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
"C:\Users\Admin\AppData\Local\Temp\2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1080

C:\Windows\system32\taskeng.exe
taskeng.exe {9485770A-3197-4F0E-B539-D7DFDF79E1D5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:908

C:\ProgramData\odacnpl\ossfh.exe
C:\ProgramData\odacnpl\ossfh.exe start
2⤵
- Executes dropped EXE
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\odacnpl\ossfh.exe
Filesize
357KB

MD5
6adff82e37aadb238d58699f857e5f8b

SHA1
f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d

SHA256
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec

SHA512
e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96

Download Submit
C:\ProgramData\odacnpl\ossfh.exe
Filesize
357KB

MD5
6adff82e37aadb238d58699f857e5f8b

SHA1
f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d

SHA256
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec

SHA512
e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96

Download Submit
memory/1080-54-0x0000000000E37000-0x0000000000E3E000-memory.dmp

Filesize
28KB

Download
memory/1080-55-0x00000000755C1000-0x00000000755C3000-memory.dmp

Filesize
8KB

Download
memory/1080-56-0x0000000000E37000-0x0000000000E3E000-memory.dmp

Filesize
28KB

Download
memory/1080-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1080-58-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download
memory/1720-60-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x0000000000277000-0x000000000027D000-memory.dmp

Filesize
24KB

Download
memory/1720-64-0x0000000000277000-0x000000000027D000-memory.dmp

Filesize
24KB

Download
memory/1720-65-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing