Malware Analysis Report

2025-04-03 09:42

Sample ID 230402-jm4jbsfc63
Target cc4f80bbbd81cf14599c74e9f8e970ac.exe
SHA256 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
Tags
systembc trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3

Threat Level: Known bad

The file cc4f80bbbd81cf14599c74e9f8e970ac.exe was found to be: Known bad.

Malicious Activity Summary

systembc trojan

SystemBC

Executes dropped EXE

Looks up external IP address via web service

Uses Tor communications

Drops file in Windows directory

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-02 07:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-02 07:48

Reported

2023-04-02 07:50

Platform

win7-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"

Signatures

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\raawsd\egwokjj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip4.seeip.org N/A N/A
N/A ip4.seeip.org N/A N/A

Uses Tor communications

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\egwokjj.job C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A
File opened for modification C:\Windows\Tasks\egwokjj.job C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1196 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\raawsd\egwokjj.exe
PID 1196 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\raawsd\egwokjj.exe
PID 1196 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\raawsd\egwokjj.exe
PID 1196 wrote to memory of 1728 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\raawsd\egwokjj.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe

"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {DEE23502-ADA1-4D62-8FAC-EE2E0806EDB9} S-1-5-18:NT AUTHORITY\System:Service:

C:\ProgramData\raawsd\egwokjj.exe

C:\ProgramData\raawsd\egwokjj.exe start

Network

Country Destination Domain Proto
CZ 89.203.249.203:4035 tcp
US 8.8.8.8:53 gamelom20.com udp
US 34.171.171.32:4035 gamelom20.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.155:443 api.ipify.org tcp
US 8.8.8.8:53 ip4.seeip.org udp
US 23.128.64.141:443 ip4.seeip.org tcp
DE 193.23.244.244:80 193.23.244.244 tcp
RO 5.183.170.183:9001 tcp
PT 94.46.171.151:9001 tcp
US 184.187.107.50:443 tcp
DE 144.76.75.137:9030 144.76.75.137 tcp
US 98.111.239.210:9001 tcp
CA 138.197.166.92:9030 138.197.166.92 tcp
DE 81.7.18.96:6133 tcp
CA 208.92.194.252:995 208.92.194.252 tcp
US 45.79.109.55:9001 tcp
NL 95.211.136.23:443 tcp
DE 85.214.149.151:9092 85.214.149.151 tcp
AU 159.196.34.95:9001 tcp
NL 5.255.100.112:443 tcp
DE 91.132.145.129:443 tcp
NL 185.167.96.248:9001 tcp
MX 190.103.179.98:443 tcp
CY 85.239.40.27:80 tcp
JP 160.251.82.247:10080 160.251.82.247 tcp
NL 212.32.240.165:9001 tcp
DE 84.165.104.173:9030 84.165.104.173 tcp
US 75.75.102.102:9001 tcp
DE 62.72.82.232:9001 tcp
FR 163.172.182.26:444 tcp
DE 91.132.145.129:443 tcp
MX 187.207.11.185:9001 tcp
US 108.2.201.206:9001 tcp
US 216.210.83.180:9030 216.210.83.180 tcp
IT 80.211.130.241:443 tcp
US 65.49.20.11:9001 tcp
DE 5.45.104.89:9676 tcp
NL 51.15.113.85:9001 tcp
NL 178.128.247.50:9001 tcp
DE 37.114.40.104:8081 37.114.40.104 tcp
SE 193.11.164.243:9001 tcp
DE 167.71.33.11:9030 167.71.33.11 tcp
US 69.197.160.206:8272 tcp
SG 172.104.170.82:9030 172.104.170.82 tcp
MD 91.208.197.31:443 tcp
GR 185.4.132.148:443 tcp
DE 202.61.225.95:9001 tcp
SG 194.233.85.109:443 tcp

Files

memory/1676-55-0x0000000000020000-0x0000000000029000-memory.dmp

memory/1676-56-0x0000000000400000-0x0000000003314000-memory.dmp

C:\ProgramData\raawsd\egwokjj.exe

MD5 cc4f80bbbd81cf14599c74e9f8e970ac
SHA1 c73b8e764bd16cc885143dee674a18ac98a1199c
SHA256 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA512 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a

C:\ProgramData\raawsd\egwokjj.exe

MD5 cc4f80bbbd81cf14599c74e9f8e970ac
SHA1 c73b8e764bd16cc885143dee674a18ac98a1199c
SHA256 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA512 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a

memory/1728-70-0x0000000000400000-0x0000000003314000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-02 07:48

Reported

2023-04-02 07:50

Platform

win10v2004-20230220-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"

Signatures

SystemBC

trojan systembc

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\cpij\bntfgfs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Uses Tor communications

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\bntfgfs.job C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A
File opened for modification C:\Windows\Tasks\bntfgfs.job C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe

"C:\Users\Admin\AppData\Local\Temp\cc4f80bbbd81cf14599c74e9f8e970ac.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4236 -ip 4236

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 944

C:\ProgramData\cpij\bntfgfs.exe

C:\ProgramData\cpij\bntfgfs.exe start

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 20.42.73.25:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
CZ 89.203.249.203:4035 tcp
US 8.8.8.8:53 gamelom20.com udp
US 34.171.171.32:4035 gamelom20.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 64.185.227.155:443 api.ipify.org tcp
US 8.8.8.8:53 32.171.171.34.in-addr.arpa udp
AT 86.59.21.38:80 86.59.21.38 tcp
US 8.8.8.8:53 155.227.185.64.in-addr.arpa udp
US 8.8.8.8:53 38.21.59.86.in-addr.arpa udp
US 204.13.164.118:80 204.13.164.118 tcp
US 8.8.8.8:53 118.164.13.204.in-addr.arpa udp
DE 89.58.32.236:8443 tcp
DE 93.127.254.11:35288 93.127.254.11 tcp
US 45.56.107.49:9001 tcp
DE 164.40.200.1:440 164.40.200.1 tcp
DE 45.10.24.189:9001 tcp
DE 79.201.245.40:22154 79.201.245.40 tcp
US 8.8.8.8:53 236.32.58.89.in-addr.arpa udp
US 8.8.8.8:53 11.254.127.93.in-addr.arpa udp
US 8.8.8.8:53 49.107.56.45.in-addr.arpa udp
DE 178.215.228.78:9001 tcp
SE 193.11.166.196:80 193.11.166.196 tcp
LT 78.60.180.159:9002 tcp
SE 85.228.47.180:9030 85.228.47.180 tcp
US 8.8.8.8:53 1.200.40.164.in-addr.arpa udp
CA 181.41.202.249:34913 tcp
US 8.8.8.8:53 189.24.10.45.in-addr.arpa udp
US 8.8.8.8:53 40.245.201.79.in-addr.arpa udp
US 8.8.8.8:53 78.228.215.178.in-addr.arpa udp
US 8.8.8.8:53 196.166.11.193.in-addr.arpa udp
US 8.8.8.8:53 159.180.60.78.in-addr.arpa udp
US 8.8.8.8:53 180.47.228.85.in-addr.arpa udp
RO 89.34.27.237:9030 89.34.27.237 tcp
CA 68.67.32.31:9001 tcp
SE 85.228.47.180:9030 85.228.47.180 tcp
RE 154.67.217.229:443 tcp
US 8.8.8.8:53 249.202.41.181.in-addr.arpa udp
US 8.8.8.8:53 237.27.34.89.in-addr.arpa udp
US 8.8.8.8:53 31.32.67.68.in-addr.arpa udp
N/A 65.50.203.5:9030 tcp
N/A 103.26.221.164:2323 tcp

Files

memory/4236-134-0x0000000000030000-0x0000000000039000-memory.dmp

memory/4236-135-0x0000000000400000-0x0000000003314000-memory.dmp

C:\ProgramData\cpij\bntfgfs.exe

MD5 cc4f80bbbd81cf14599c74e9f8e970ac
SHA1 c73b8e764bd16cc885143dee674a18ac98a1199c
SHA256 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA512 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a

C:\ProgramData\cpij\bntfgfs.exe

MD5 cc4f80bbbd81cf14599c74e9f8e970ac
SHA1 c73b8e764bd16cc885143dee674a18ac98a1199c
SHA256 1dc9a3c5d28e2e20b5bbbfd229a356ec88364280fa19ecdf0882a9533e7de3b3
SHA512 74beb8e33636186fec989c47e7a91f6d1a33acf450557bf1188b4160b841ededed890fb0ccbb04ffc80d4aecc463da4ac70e224b2b4e762eaa5520003f7cfd5a

memory/3132-149-0x0000000000400000-0x0000000003314000-memory.dmp