systembc | 8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a

General

Target

8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
Size

203KB
MD5

40bd21b534a875137016dd1c93407366
SHA1

941dcff9464e407c060051475758f84e80998417
SHA256

8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a
SHA512

e5466a0c3b4e1c74192ee2db85bf3809904687934b6e2ffb2a1469b8f6510d03d80c948b364a67ed43fd4f753b29355dcb3252ecc073bca21e2880b4254ab31e

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

sdadvert197.com:4044

mexstat128.com:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

jqmvhq.exe

pid process

1924 jqmvhq.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 api.ipify.org
20 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1924	jqmvhq.exe

flow	ioc
21	api.ipify.org
20	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe

description	ioc	process
File created	C:\Windows\Tasks\jqmvhq.job	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
File opened for modification	C:\Windows\Tasks\jqmvhq.job	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4808	4260	WerFault.exe	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
4720	1924	WerFault.exe	jqmvhq.exe
1968	1924	WerFault.exe	jqmvhq.exe
2756	4260	WerFault.exe	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
4380	4260	WerFault.exe	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
3680	1924	WerFault.exe	jqmvhq.exe
316	1924	WerFault.exe	jqmvhq.exe
2380	4260	WerFault.exe	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe

pid	process
4260	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
4260	8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe

C:\Users\Admin\AppData\Local\Temp\8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe
"C:\Users\Admin\AppData\Local\Temp\8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 488
2⤵
- Program crash
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 944
2⤵
- Program crash
PID:2756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 956
2⤵
- Program crash
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4260 -s 968
2⤵
- Program crash
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4260 -ip 4260
1⤵
PID:4368

C:\ProgramData\obnr\jqmvhq.exe
C:\ProgramData\obnr\jqmvhq.exe start
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 240
2⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 772
2⤵
- Program crash
PID:1968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 844
2⤵
- Program crash
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 728
2⤵
- Program crash
PID:316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1924 -ip 1924
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1924 -ip 1924
1⤵
PID:3204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4260 -ip 4260
1⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4260 -ip 4260
1⤵
PID:1232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1924 -ip 1924
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1924 -ip 1924
1⤵
PID:2940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4260 -ip 4260
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\obnr\jqmvhq.exe
Filesize
203KB

MD5
40bd21b534a875137016dd1c93407366

SHA1
941dcff9464e407c060051475758f84e80998417

SHA256
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a

SHA512
e5466a0c3b4e1c74192ee2db85bf3809904687934b6e2ffb2a1469b8f6510d03d80c948b364a67ed43fd4f753b29355dcb3252ecc073bca21e2880b4254ab31e

Download Submit
C:\ProgramData\obnr\jqmvhq.exe
Filesize
203KB

MD5
40bd21b534a875137016dd1c93407366

SHA1
941dcff9464e407c060051475758f84e80998417

SHA256
8e19fd66ec247a6ef30b5596bcf5ab7d615a12f0a79739117c1c88112c43968a

SHA512
e5466a0c3b4e1c74192ee2db85bf3809904687934b6e2ffb2a1469b8f6510d03d80c948b364a67ed43fd4f753b29355dcb3252ecc073bca21e2880b4254ab31e

Download Submit
memory/1924-136-0x00000000025A5000-0x00000000025AB000-memory.dmp

Filesize
24KB

Download
memory/1924-137-0x00000000025A5000-0x00000000025AB000-memory.dmp

Filesize
24KB

Download
memory/1924-138-0x0000000000400000-0x00000000022EF000-memory.dmp

Filesize
30.9MB

Download
memory/4260-130-0x00000000026DA000-0x00000000026E0000-memory.dmp

Filesize
24KB

Download
memory/4260-131-0x00000000026DA000-0x00000000026E0000-memory.dmp

Filesize
24KB

Download
memory/4260-132-0x0000000002630000-0x0000000002639000-memory.dmp

Filesize
36KB

Download
memory/4260-133-0x0000000000400000-0x00000000022EF000-memory.dmp

Filesize
30.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads