systembc | 23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40753d4f4ba5863be3aaaa38cd50995a.exe
Size

114KB
MD5

40753d4f4ba5863be3aaaa38cd50995a
SHA1

cb58f6a57ecd27e7380e0f38dedb621d7d161e19
SHA256

23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02
SHA512

7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad
SSDEEP

1536:hGFLBB4S2zN22dyPPVHbPa3bjCY0X+9hGUhW5jSVM3JdT4AFuxbUS:hGFLBb2o+3CXXE1W520JdMAFuxbU

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

winstationsocks.com:4124

winstationsocks.xyz:4124

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

nnigtj.exe

pid process

1492 nnigtj.exe
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.ipify.org
4 api.ipify.org
5 ip4.seeip.org
6 ip4.seeip.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Connection Proxy
T1090

pid	process
1492	nnigtj.exe

flow	ioc
3	api.ipify.org
4	api.ipify.org
5	ip4.seeip.org
6	ip4.seeip.org

Drops file in Windows directory 2 IoCs

Processes:

40753d4f4ba5863be3aaaa38cd50995a.exe

description	ioc	process
File created	C:\Windows\Tasks\nnigtj.job	40753d4f4ba5863be3aaaa38cd50995a.exe
File opened for modification	C:\Windows\Tasks\nnigtj.job	40753d4f4ba5863be3aaaa38cd50995a.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

40753d4f4ba5863be3aaaa38cd50995a.exe

pid process

2040 40753d4f4ba5863be3aaaa38cd50995a.exe

pid	process
2040	40753d4f4ba5863be3aaaa38cd50995a.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1056 wrote to memory of 1492	1056	taskeng.exe	nnigtj.exe
PID 1056 wrote to memory of 1492	1056	taskeng.exe	nnigtj.exe
PID 1056 wrote to memory of 1492	1056	taskeng.exe	nnigtj.exe
PID 1056 wrote to memory of 1492	1056	taskeng.exe	nnigtj.exe

C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe
"C:\Users\Admin\AppData\Local\Temp\40753d4f4ba5863be3aaaa38cd50995a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\system32\taskeng.exe
taskeng.exe {979C1381-9E32-4842-BF1D-152D40824640} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\ProgramData\xwfbubo\nnigtj.exe
C:\ProgramData\xwfbubo\nnigtj.exe start
2⤵
- Executes dropped EXE
PID:1492

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Connection Proxy

T1090

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xwfbubo\nnigtj.exe
Filesize
114KB

MD5
40753d4f4ba5863be3aaaa38cd50995a

SHA1
cb58f6a57ecd27e7380e0f38dedb621d7d161e19

SHA256
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02

SHA512
7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad

Download Submit
C:\ProgramData\xwfbubo\nnigtj.exe
Filesize
114KB

MD5
40753d4f4ba5863be3aaaa38cd50995a

SHA1
cb58f6a57ecd27e7380e0f38dedb621d7d161e19

SHA256
23f66ece38393f81fc1f892c9243cebb6e5412b95629cc07fa83065f5b5a3e02

SHA512
7a458e629b22a0d62b9b34df9e04e40eca88ebc8f4067f42f83a0a1d6812cf56635c3d17c48b5ef97ea900c439ab30d32c5307ce6bfee7842b2202e3e1a831ad

Download Submit
memory/1492-64-0x00000000009A8000-0x00000000009AF000-memory.dmp

Filesize
28KB

Download
memory/1492-60-0x0000000000000000-mapping.dmp

Download
memory/1492-62-0x00000000009A8000-0x00000000009AF000-memory.dmp

Filesize
28KB

Download
memory/1492-65-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/1492-67-0x00000000009A8000-0x00000000009AF000-memory.dmp

Filesize
28KB

Download
memory/2040-56-0x00000000002C8000-0x00000000002CF000-memory.dmp

Filesize
28KB

Download
memory/2040-58-0x0000000000400000-0x0000000000854000-memory.dmp

Filesize
4.3MB

Download
memory/2040-57-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2040-55-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/2040-54-0x00000000002C8000-0x00000000002CF000-memory.dmp

Filesize
28KB

Download
memory/2040-66-0x00000000002C8000-0x00000000002CF000-memory.dmp

Filesize
28KB

Download
memory/2040-68-0x00000000002C8000-0x00000000002CF000-memory.dmp

Filesize
28KB

Download