systembc | 2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec

General

Target

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
Size

357KB
MD5

6adff82e37aadb238d58699f857e5f8b
SHA1

f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d
SHA256

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec
SHA512

e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

sexwh.exe

pid process

4268 sexwh.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

14 api.ipify.org
18 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4268	sexwh.exe

flow	ioc
14	api.ipify.org
18	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

description	ioc	process
File created	C:\Windows\Tasks\sexwh.job	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
File opened for modification	C:\Windows\Tasks\sexwh.job	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4256	3248	WerFault.exe	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
4856	4268	WerFault.exe	sexwh.exe
4520	4268	WerFault.exe	sexwh.exe
448	3248	WerFault.exe	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
2104	3248	WerFault.exe	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
224	4268	WerFault.exe	sexwh.exe
4876	4268	WerFault.exe	sexwh.exe
4904	3248	WerFault.exe	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

pid	process
3248	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
3248	2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe

C:\Users\Admin\AppData\Local\Temp\2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe
"C:\Users\Admin\AppData\Local\Temp\2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 484
2⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 940
2⤵
- Program crash
PID:448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 964
2⤵
- Program crash
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 948
2⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3248 -ip 3248
1⤵
PID:4204

C:\ProgramData\mdde\sexwh.exe
C:\ProgramData\mdde\sexwh.exe start
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 480
2⤵
- Program crash
PID:4856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 756
2⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 776
2⤵
- Program crash
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4268 -s 732
2⤵
- Program crash
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4268 -ip 4268
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4268 -ip 4268
1⤵
PID:4512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3248 -ip 3248
1⤵
PID:4372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3248 -ip 3248
1⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4268 -ip 4268
1⤵
PID:4000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4268 -ip 4268
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3248 -ip 3248
1⤵
PID:3112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mdde\sexwh.exe
Filesize
357KB

MD5
6adff82e37aadb238d58699f857e5f8b

SHA1
f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d

SHA256
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec

SHA512
e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96

Download Submit
C:\ProgramData\mdde\sexwh.exe
Filesize
357KB

MD5
6adff82e37aadb238d58699f857e5f8b

SHA1
f779cdc5c8d6a8595a0850cb8fb7097e4f74f66d

SHA256
2acd7bc3c78edc1630e17dd81edbccb0434e83d7100f08fcd4b4b6e0df9cb6ec

SHA512
e9edae21aa6708690ed8a7df2555e48121677d43f3994f2407ca4ead9ac775a02cb73e367830c9cd8f49587e43a7c5a546cc400c5a46ce00e9fef81f3fb4eb96

Download Submit
memory/3248-130-0x0000000000DFA000-0x0000000000E01000-memory.dmp

Filesize
28KB

Download
memory/3248-131-0x0000000000DFA000-0x0000000000E01000-memory.dmp

Filesize
28KB

Download
memory/3248-132-0x0000000002970000-0x0000000002979000-memory.dmp

Filesize
36KB

Download
memory/3248-133-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download
memory/4268-136-0x0000000000F95000-0x0000000000F9B000-memory.dmp

Filesize
24KB

Download
memory/4268-137-0x0000000000F95000-0x0000000000F9B000-memory.dmp

Filesize
24KB

Download
memory/4268-138-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/4268-139-0x0000000000400000-0x0000000000C33000-memory.dmp

Filesize
8.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads