systembc | 7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b

Resubmissions

09-04-2024 15:25

240409-stwazaeb2v 10

09-04-2024 15:25

09-04-2024 15:25

09-04-2024 15:25

13-01-2023 16:48

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
13-01-2023 16:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a95c29de8321dd4dc8b9676ec640e7b3.exe
Size

32KB
MD5

a95c29de8321dd4dc8b9676ec640e7b3
SHA1

d9ef0d8e14ddba29ab8e39779e616344440d8f75
SHA256

7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b
SHA512

d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf
SSDEEP

768:3Ta1PsXQ0yVmQvcs27NOJtyuv09gnoJCvcror:SsXQ0yVN2gV0Gno

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

dec15coma.com:4039

dec15coma.xyz:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

itju.exe

pid process

968 itju.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 ip4.seeip.org
5 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
968	itju.exe

flow	ioc
7	ip4.seeip.org
5	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

a95c29de8321dd4dc8b9676ec640e7b3.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\itju.job	a95c29de8321dd4dc8b9676ec640e7b3.exe
File created	C:\Windows\Tasks\itju.job	a95c29de8321dd4dc8b9676ec640e7b3.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a95c29de8321dd4dc8b9676ec640e7b3.exe

pid process

1532 a95c29de8321dd4dc8b9676ec640e7b3.exe

pid	process
1532	a95c29de8321dd4dc8b9676ec640e7b3.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 732 wrote to memory of 968	732	taskeng.exe	itju.exe
PID 732 wrote to memory of 968	732	taskeng.exe	itju.exe
PID 732 wrote to memory of 968	732	taskeng.exe	itju.exe
PID 732 wrote to memory of 968	732	taskeng.exe	itju.exe

C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe
"C:\Users\Admin\AppData\Local\Temp\a95c29de8321dd4dc8b9676ec640e7b3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Windows\system32\taskeng.exe
taskeng.exe {5C2039F5-D15A-4A96-8258-A76983A205BD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:732

C:\ProgramData\cgjc\itju.exe
C:\ProgramData\cgjc\itju.exe start
2⤵
- Executes dropped EXE
PID:968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cgjc\itju.exe
Filesize
32KB

MD5
a95c29de8321dd4dc8b9676ec640e7b3

SHA1
d9ef0d8e14ddba29ab8e39779e616344440d8f75

SHA256
7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b

SHA512
d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf

Download Submit
C:\ProgramData\cgjc\itju.exe
Filesize
32KB

MD5
a95c29de8321dd4dc8b9676ec640e7b3

SHA1
d9ef0d8e14ddba29ab8e39779e616344440d8f75

SHA256
7616efcd937ca8fd237f3afa86aea2294844d00cd1100b75660b4925ad88924b

SHA512
d6ee8ea621bd1a0de0046773459316eec5a4f04077f90002d48f997e64758cf6fea7d80e4e7337dc95a4827233f0da937fb9228d5a15867043d097ee73da6acf

Download Submit
memory/968-56-0x0000000000000000-mapping.dmp

Download
memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download