systembc | c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b

General

Target

c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
Size

129KB
MD5

97df61f72744b694bc0ce16556510b83
SHA1

b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c
SHA256

c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b
SHA512

610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

dasd13d.com:4035

dasd13d.xyz:4035

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

pvjcuvw.exe

pid process

1496 pvjcuvw.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
6 ip4.seeip.org
7 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1496	pvjcuvw.exe

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip4.seeip.org
7	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe

description	ioc	process
File created	C:\Windows\Tasks\pvjcuvw.job	c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
File opened for modification	C:\Windows\Tasks\pvjcuvw.job	c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe

pid process

1668 c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe

pid	process
1668	c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1500 wrote to memory of 1496	1500	taskeng.exe	pvjcuvw.exe
PID 1500 wrote to memory of 1496	1500	taskeng.exe	pvjcuvw.exe
PID 1500 wrote to memory of 1496	1500	taskeng.exe	pvjcuvw.exe
PID 1500 wrote to memory of 1496	1500	taskeng.exe	pvjcuvw.exe

C:\Users\Admin\AppData\Local\Temp\c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe
"C:\Users\Admin\AppData\Local\Temp\c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1668

C:\Windows\system32\taskeng.exe
taskeng.exe {72214483-2411-4E30-9A20-CDA546606628} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1500

C:\ProgramData\uxjukp\pvjcuvw.exe
C:\ProgramData\uxjukp\pvjcuvw.exe start
2⤵
- Executes dropped EXE
PID:1496

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uxjukp\pvjcuvw.exe
Filesize
129KB

MD5
97df61f72744b694bc0ce16556510b83

SHA1
b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c

SHA256
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b

SHA512
610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486

Download Submit
C:\ProgramData\uxjukp\pvjcuvw.exe
Filesize
129KB

MD5
97df61f72744b694bc0ce16556510b83

SHA1
b6c9484e550f8f4ff3155c5ed8ae4a8e3422018c

SHA256
c6796f4e5a17fb9ce0e1d33b9d767fbed5a4c43e65e2741af09015cb23932d2b

SHA512
610a3b2b253d7e34c2091250354d9d08b524d8da3836ca75d96af2562551176a9e85fdb02d6ed6aeb417c84b19c1cdea9a4b9644136f3c4ed3bfb554e5f81486

Download Submit
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1496-62-0x00000000009EB000-0x00000000009F2000-memory.dmp

Filesize
28KB

Download
memory/1496-63-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download
memory/1668-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download
memory/1668-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1668-55-0x0000000000AAB000-0x0000000000AB2000-memory.dmp

Filesize
28KB

Download
memory/1668-57-0x0000000000400000-0x00000000008BF000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing