systembc | 5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0

General

Target

5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe
Size

204KB
MD5

b8127c859906ad947b89b41119b9c310
SHA1

a9a59ee98af4cdf2587c678f06325b15bbe4d3a7
SHA256

5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0
SHA512

22957031c45c0aa140b932c9118a52980ad1c9e67aeca34784cb88eea8c7b9a3fddb11ff97752b3b34bdc3cbfdff46233bb267cc8ea5e27525f923b24fa5e9f9

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

26asdcgd.com:4039

26asdcgd.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

lpebjg.exe

pid process

1760 lpebjg.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 api.ipify.org
7 ip4.seeip.org
8 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1760	lpebjg.exe

flow	ioc
6	api.ipify.org
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe

description	ioc	process
File created	C:\Windows\Tasks\lpebjg.job	5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe
File opened for modification	C:\Windows\Tasks\lpebjg.job	5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe

pid process

1692 5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe

pid	process
1692	5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2044 wrote to memory of 1760	2044	taskeng.exe	lpebjg.exe
PID 2044 wrote to memory of 1760	2044	taskeng.exe	lpebjg.exe
PID 2044 wrote to memory of 1760	2044	taskeng.exe	lpebjg.exe
PID 2044 wrote to memory of 1760	2044	taskeng.exe	lpebjg.exe

C:\Users\Admin\AppData\Local\Temp\5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe
"C:\Users\Admin\AppData\Local\Temp\5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1692

C:\Windows\system32\taskeng.exe
taskeng.exe {19BD68C2-AE3B-4899-9B2E-6287D3693A7D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\ProgramData\ahpspxu\lpebjg.exe
C:\ProgramData\ahpspxu\lpebjg.exe start
2⤵
- Executes dropped EXE
PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Connection Proxy

1

T1090

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Connection Proxy

1

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ahpspxu\lpebjg.exe
Filesize
204KB

MD5
b8127c859906ad947b89b41119b9c310

SHA1
a9a59ee98af4cdf2587c678f06325b15bbe4d3a7

SHA256
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0

SHA512
22957031c45c0aa140b932c9118a52980ad1c9e67aeca34784cb88eea8c7b9a3fddb11ff97752b3b34bdc3cbfdff46233bb267cc8ea5e27525f923b24fa5e9f9

Download Submit
C:\ProgramData\ahpspxu\lpebjg.exe
Filesize
204KB

MD5
b8127c859906ad947b89b41119b9c310

SHA1
a9a59ee98af4cdf2587c678f06325b15bbe4d3a7

SHA256
5106c3fc86c0d609c715e1cb9c1c61b21bf607ed6fa132601b834cf606537de0

SHA512
22957031c45c0aa140b932c9118a52980ad1c9e67aeca34784cb88eea8c7b9a3fddb11ff97752b3b34bdc3cbfdff46233bb267cc8ea5e27525f923b24fa5e9f9

Download Submit
memory/1692-54-0x00000000023DA000-0x00000000023E1000-memory.dmp

Filesize
28KB

Download
memory/1692-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/1692-56-0x00000000023DA000-0x00000000023E1000-memory.dmp

Filesize
28KB

Download
memory/1692-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/1692-58-0x0000000000400000-0x00000000022F0000-memory.dmp

Filesize
30.9MB

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download
memory/1760-64-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1760-65-0x0000000000400000-0x00000000022F0000-memory.dmp

Filesize
30.9MB

Download

Analysis

Sharing