systembc | 4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd

General

Target

4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe
Size

168KB
MD5

a554fcbe9859c314ee657507f58bd1ab
SHA1

3355e28863ab4391e9bba4cf95c214acd44207c1
SHA256

4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd
SHA512

f5e6ebd159ec20352162837750fc6f7d45db6927ed54d75d41ab67d21e45113b596073c23e71ea39cfbe2aaf27bd46c75e2de656d63b254a1eaf208420471673

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

26asdcgd.com:4039

26asdcgd.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

bwqaio.exe

pid process

1720 bwqaio.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.ipify.org
6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1720	bwqaio.exe

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe

description	ioc	process
File created	C:\Windows\Tasks\bwqaio.job	4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe
File opened for modification	C:\Windows\Tasks\bwqaio.job	4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe

pid process

1948 4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe

pid	process
1948	4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 112 wrote to memory of 1720	112	taskeng.exe	bwqaio.exe
PID 112 wrote to memory of 1720	112	taskeng.exe	bwqaio.exe
PID 112 wrote to memory of 1720	112	taskeng.exe	bwqaio.exe
PID 112 wrote to memory of 1720	112	taskeng.exe	bwqaio.exe

C:\Users\Admin\AppData\Local\Temp\4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe
"C:\Users\Admin\AppData\Local\Temp\4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Windows\system32\taskeng.exe
taskeng.exe {0A14B2CC-9F7D-408E-929A-7CC0F7266CDD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:112

C:\ProgramData\weipwt\bwqaio.exe
C:\ProgramData\weipwt\bwqaio.exe start
2⤵
- Executes dropped EXE
PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\weipwt\bwqaio.exe
Filesize
168KB

MD5
a554fcbe9859c314ee657507f58bd1ab

SHA1
3355e28863ab4391e9bba4cf95c214acd44207c1

SHA256
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd

SHA512
f5e6ebd159ec20352162837750fc6f7d45db6927ed54d75d41ab67d21e45113b596073c23e71ea39cfbe2aaf27bd46c75e2de656d63b254a1eaf208420471673

Download Submit
C:\ProgramData\weipwt\bwqaio.exe
Filesize
168KB

MD5
a554fcbe9859c314ee657507f58bd1ab

SHA1
3355e28863ab4391e9bba4cf95c214acd44207c1

SHA256
4d586a534d4ac3e4f084ee1f29a51856b2c316fe7745bb0cfbf13447fa3291dd

SHA512
f5e6ebd159ec20352162837750fc6f7d45db6927ed54d75d41ab67d21e45113b596073c23e71ea39cfbe2aaf27bd46c75e2de656d63b254a1eaf208420471673

Download Submit
memory/1720-59-0x0000000000000000-mapping.dmp

Download
memory/1720-62-0x000000000067B000-0x0000000000682000-memory.dmp

Filesize
28KB

Download
memory/1720-63-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download
memory/1948-54-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1948-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1948-55-0x000000000058B000-0x0000000000592000-memory.dmp

Filesize
28KB

Download
memory/1948-57-0x0000000000400000-0x00000000004E4000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing