systembc | ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e

General

Target

ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
Size

87KB
MD5

5781e34d8a456b34ad9d8f7ed8bf9453
SHA1

778cdb0dfbfc4651cedaa985505dd28a33d190aa
SHA256

ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e
SHA512

e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

asdasd08.com:4039

asdasd08.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata: ET MALWARE Observed SystemBC CnC Domain in DNS Query
suricata
Executes dropped EXE 1 IoCs

Processes:

svwof.exe

pid process

3492 svwof.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

36 api.ipify.org
37 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
3492	svwof.exe

flow	ioc
36	api.ipify.org
37	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe

description	ioc	process
File created	C:\Windows\Tasks\svwof.job	ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
File opened for modification	C:\Windows\Tasks\svwof.job	ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 4464 WerFault.exe ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe

pid	pid_target	process	target process
2484	4464	WerFault.exe	ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe

pid	process
4464	ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
4464	ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe

C:\Users\Admin\AppData\Local\Temp\ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe
"C:\Users\Admin\AppData\Local\Temp\ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4464 -s 936
2⤵
- Program crash
PID:2484

C:\ProgramData\ofukds\svwof.exe
C:\ProgramData\ofukds\svwof.exe start
1⤵
- Executes dropped EXE
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4464 -ip 4464
1⤵
PID:3424

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ofukds\svwof.exe
Filesize
87KB

MD5
5781e34d8a456b34ad9d8f7ed8bf9453

SHA1
778cdb0dfbfc4651cedaa985505dd28a33d190aa

SHA256
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e

SHA512
e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3

Download Submit
C:\ProgramData\ofukds\svwof.exe
Filesize
87KB

MD5
5781e34d8a456b34ad9d8f7ed8bf9453

SHA1
778cdb0dfbfc4651cedaa985505dd28a33d190aa

SHA256
ec7b2cd04228626c74372d58aa236b765d254afa4ec47723c514f256dde1750e

SHA512
e925c9b9c06249b12d4eaea21c9458668e57d2a7cb9f87625f8a10468ec6e4f70cf97b4e9a63299c939a16b546a6d28bb180b0c5b6de45b3739c002920989af3

Download Submit
memory/3492-135-0x0000000003272000-0x0000000003279000-memory.dmp

Filesize
28KB

Download
memory/3492-136-0x00000000030F0000-0x00000000030F9000-memory.dmp

Filesize
36KB

Download
memory/3492-137-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download
memory/4464-130-0x0000000003029000-0x0000000003030000-memory.dmp

Filesize
28KB

Download
memory/4464-131-0x0000000003120000-0x0000000003129000-memory.dmp

Filesize
36KB

Download
memory/4464-132-0x0000000000400000-0x0000000002FA1000-memory.dmp

Filesize
43.6MB

Download

Analysis

Sharing