systembc | fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25

General

Target

fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe
Size

203KB
MD5

3b357e5c6891ce1a4ad293a63ac75cdb
SHA1

dc4fc7e3bffa09591dfe75d76d8cdebec9e169f8
SHA256

fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25
SHA512

5780e9966b40756f434b67b8f5b2e46e5de24adc4e728f52783e9b8d29a027b7718748a330144e1353820af4348acdda373fb99ff1d89b7b5bfeccb03a0f8d2b

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

nnbjklt.exe

pid process

940 nnbjklt.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
940	nnbjklt.exe

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe

description	ioc	process
File created	C:\Windows\Tasks\nnbjklt.job	fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe
File opened for modification	C:\Windows\Tasks\nnbjklt.job	fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe

pid process

1480 fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe

pid	process
1480	fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1172 wrote to memory of 940	1172	taskeng.exe	nnbjklt.exe
PID 1172 wrote to memory of 940	1172	taskeng.exe	nnbjklt.exe
PID 1172 wrote to memory of 940	1172	taskeng.exe	nnbjklt.exe
PID 1172 wrote to memory of 940	1172	taskeng.exe	nnbjklt.exe

C:\Users\Admin\AppData\Local\Temp\fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe
"C:\Users\Admin\AppData\Local\Temp\fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1480

C:\Windows\system32\taskeng.exe
taskeng.exe {F0A2A388-A7FA-4F37-AE8E-6D88ED30B23D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1172

C:\ProgramData\fwavpmq\nnbjklt.exe
C:\ProgramData\fwavpmq\nnbjklt.exe start
2⤵
- Executes dropped EXE
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fwavpmq\nnbjklt.exe
Filesize
203KB

MD5
3b357e5c6891ce1a4ad293a63ac75cdb

SHA1
dc4fc7e3bffa09591dfe75d76d8cdebec9e169f8

SHA256
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25

SHA512
5780e9966b40756f434b67b8f5b2e46e5de24adc4e728f52783e9b8d29a027b7718748a330144e1353820af4348acdda373fb99ff1d89b7b5bfeccb03a0f8d2b

Download Submit
C:\ProgramData\fwavpmq\nnbjklt.exe
Filesize
203KB

MD5
3b357e5c6891ce1a4ad293a63ac75cdb

SHA1
dc4fc7e3bffa09591dfe75d76d8cdebec9e169f8

SHA256
fd9cc0f0cbd78ea32d556bea65d91e77099ef712b9f57d7bfd105ff165f27d25

SHA512
5780e9966b40756f434b67b8f5b2e46e5de24adc4e728f52783e9b8d29a027b7718748a330144e1353820af4348acdda373fb99ff1d89b7b5bfeccb03a0f8d2b

Download Submit
memory/940-60-0x0000000000000000-mapping.dmp

Download
memory/940-62-0x000000000249A000-0x00000000024A0000-memory.dmp

Filesize
24KB

Download
memory/940-64-0x000000000249A000-0x00000000024A0000-memory.dmp

Filesize
24KB

Download
memory/940-65-0x0000000000400000-0x00000000022EF000-memory.dmp

Filesize
30.9MB

Download
memory/1480-54-0x000000000238A000-0x0000000002390000-memory.dmp

Filesize
24KB

Download
memory/1480-55-0x0000000075871000-0x0000000075873000-memory.dmp

Filesize
8KB

Download
memory/1480-57-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1480-56-0x000000000238A000-0x0000000002390000-memory.dmp

Filesize
24KB

Download
memory/1480-58-0x0000000000400000-0x00000000022EF000-memory.dmp

Filesize
30.9MB

Download

Analysis

Sharing