systembc | 91eba91d8b9f359f751e25935401f51ee6f6fb49304263050690d5079475606e

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
Size

156KB
MD5

e62582236c24973720e092adec05f8c5
SHA1

dc865394a456b89282bf248eeff3509ec0116911
SHA256

fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23
SHA512

702960c841eec4c16d4b686c1cafe42d1568e3cde1aebca4c2feaef275dc9efd5dea8e6260d4a18f92d63640bd530ccb071de42a6511a7719fbbe7ee2b9bda2a
SSDEEP

3072:SXiOd5A7ENBKYEm9/1fUQcl7XcOOILUJC2PsrZLILNNOmr:SXiEA7EfKYE6RU1AnvspsP

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

shumf.exe

pid process

4416 shumf.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

25 api.ipify.org
26 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
4416	shumf.exe

flow	ioc
25	api.ipify.org
26	api.ipify.org

Drops file in Windows directory 2 IoCs

Processes:

fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe

description	ioc	process
File created	C:\Windows\Tasks\shumf.job	fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
File opened for modification	C:\Windows\Tasks\shumf.job	fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1144 2232 WerFault.exe fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe

pid	pid_target	process	target process
1144	2232	WerFault.exe	fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe

pid	process
2232	fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
2232	fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe

C:\Users\Admin\AppData\Local\Temp\fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe
"C:\Users\Admin\AppData\Local\Temp\fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 484
2⤵
- Program crash
PID:1144

C:\ProgramData\vnicwql\shumf.exe
C:\ProgramData\vnicwql\shumf.exe start
1⤵
- Executes dropped EXE
PID:4416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2232 -ip 2232
1⤵
PID:4760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\vnicwql\shumf.exe
Filesize
156KB

MD5
e62582236c24973720e092adec05f8c5

SHA1
dc865394a456b89282bf248eeff3509ec0116911

SHA256
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23

SHA512
702960c841eec4c16d4b686c1cafe42d1568e3cde1aebca4c2feaef275dc9efd5dea8e6260d4a18f92d63640bd530ccb071de42a6511a7719fbbe7ee2b9bda2a

Download Submit
C:\ProgramData\vnicwql\shumf.exe
Filesize
156KB

MD5
e62582236c24973720e092adec05f8c5

SHA1
dc865394a456b89282bf248eeff3509ec0116911

SHA256
fb45af7bb8ffdcddaaec2a9e88968fbcb82eaedbdf1c16a7e9ac861906a07e23

SHA512
702960c841eec4c16d4b686c1cafe42d1568e3cde1aebca4c2feaef275dc9efd5dea8e6260d4a18f92d63640bd530ccb071de42a6511a7719fbbe7ee2b9bda2a

Download Submit
memory/2232-132-0x0000000000928000-0x000000000092F000-memory.dmp

Filesize
28KB

Download
memory/2232-133-0x00000000024C0000-0x00000000024C9000-memory.dmp

Filesize
36KB

Download
memory/2232-134-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download
memory/2232-139-0x0000000000928000-0x000000000092F000-memory.dmp

Filesize
28KB

Download
memory/2232-140-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download
memory/4416-137-0x0000000000A82000-0x0000000000A89000-memory.dmp

Filesize
28KB

Download
memory/4416-138-0x0000000000400000-0x00000000008C6000-memory.dmp

Filesize
4.8MB

Download