systembc | 98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8

General

Target

98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe
Size

137KB
MD5

c684031ab0b9aab1f82ec9cf2e52ae18
SHA1

18af53cd6dc37bd5b1963dcf0562d4b98f6aa466
SHA256

98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8
SHA512

e78f5f8e917f3dd85e7cf2df43b2af4882118bd37cc04b56e660700011f1863c0580b4e6d797fee55fab2caeca55a92ba205da651707fa9b519a8e497fd156a5

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

C2

admex175x.xyz:4044

servx278x.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

xckux.exe

pid process

932 xckux.exe

pid	process
932	xckux.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\imll\xckux.exe	upx
C:\ProgramData\imll\xckux.exe	upx

Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.ipify.org
5 api.ipify.org
6 ip4.seeip.org
7 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip4.seeip.org
7	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe

description	ioc	process
File created	C:\Windows\Tasks\xckux.job	98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe
File opened for modification	C:\Windows\Tasks\xckux.job	98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe

pid process

784 98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe

pid	process
784	98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 876 wrote to memory of 932	876	taskeng.exe	xckux.exe
PID 876 wrote to memory of 932	876	taskeng.exe	xckux.exe
PID 876 wrote to memory of 932	876	taskeng.exe	xckux.exe
PID 876 wrote to memory of 932	876	taskeng.exe	xckux.exe

C:\Users\Admin\AppData\Local\Temp\98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe
"C:\Users\Admin\AppData\Local\Temp\98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:784

C:\Windows\system32\taskeng.exe
taskeng.exe {BE1723DA-9D7F-4577-BEC0-5EC39B076573} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\ProgramData\imll\xckux.exe
C:\ProgramData\imll\xckux.exe start
2⤵
- Executes dropped EXE
PID:932

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

1

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\imll\xckux.exe
Filesize
137KB

MD5
c684031ab0b9aab1f82ec9cf2e52ae18

SHA1
18af53cd6dc37bd5b1963dcf0562d4b98f6aa466

SHA256
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8

SHA512
e78f5f8e917f3dd85e7cf2df43b2af4882118bd37cc04b56e660700011f1863c0580b4e6d797fee55fab2caeca55a92ba205da651707fa9b519a8e497fd156a5

Download Submit
C:\ProgramData\imll\xckux.exe
Filesize
137KB

MD5
c684031ab0b9aab1f82ec9cf2e52ae18

SHA1
18af53cd6dc37bd5b1963dcf0562d4b98f6aa466

SHA256
98de0d13399818c6582fcce361f3768072362b657f1177a46f639b149ff981d8

SHA512
e78f5f8e917f3dd85e7cf2df43b2af4882118bd37cc04b56e660700011f1863c0580b4e6d797fee55fab2caeca55a92ba205da651707fa9b519a8e497fd156a5

Download Submit
memory/784-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/784-55-0x0000000004EDA000-0x0000000004EE0000-memory.dmp

Filesize
24KB

Download
memory/784-57-0x0000000000400000-0x0000000004D7C000-memory.dmp

Filesize
73.5MB

Download
memory/932-59-0x0000000000000000-mapping.dmp

Download
memory/932-62-0x0000000004E4A000-0x0000000004E50000-memory.dmp

Filesize
24KB

Download
memory/932-63-0x0000000000400000-0x0000000004D7C000-memory.dmp

Filesize
73.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads