systembc | 7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5

Resubmissions

17/04/2024, 09:26

240417-lee7waah53 10

17/04/2024, 09:26

17/04/2024, 09:26

17/04/2024, 09:26

17/04/2024, 09:26

16/04/2024, 13:38

Analysis

max time kernel
294s
max time network
301s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5.exe
Size

1.0MB
MD5

0a286d2f6060a92d15ddfd03063a1486
SHA1

172ae7b2059b420c463daf8ca58a55d8ab500d5c
SHA256

7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5
SHA512

bdcccaf8f7636bb54d74d1a1ead3288234a787c3b6d9c3d96e3584fc520088c97c98130e8fe030a1ee9551376b270f0ee5c6e53dd44581850e73abc9493d4cc7
SSDEEP

6144:X9mI/A/bpCQqR5yqL5pbqD8T/ruThC711qC711Q:X9ro/4QqLrqDC/ru8PDPQ

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

yan0212.com:4039

yan0212.net:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2392	nlju.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.198.207.48

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip4.seeip.org
8	ip4.seeip.org
5	api.ipify.org
6	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\nlju.job	7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5.exe
File created	C:\Windows\Tasks\nlju.job	7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2348	7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2392	2520	taskeng.exe	29
PID 2520 wrote to memory of 2392	2520	taskeng.exe	29
PID 2520 wrote to memory of 2392	2520	taskeng.exe	29
PID 2520 wrote to memory of 2392	2520	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5.exe
"C:\Users\Admin\AppData\Local\Temp\7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Windows\system32\taskeng.exe
taskeng.exe {1CB16B23-3DB8-4C5D-8576-2400E1FD8FEF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\ProgramData\muxcf\nlju.exe
  C:\ProgramData\muxcf\nlju.exe start
  2⤵
  - Executes dropped EXE
  PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\muxcf\nlju.exe

Filesize
1.0MB

MD5
0a286d2f6060a92d15ddfd03063a1486

SHA1
172ae7b2059b420c463daf8ca58a55d8ab500d5c

SHA256
7c05833514baa8de4f997a7fcb04096316f2fb44d77fcc0951bb50adbf8d58f5

SHA512
bdcccaf8f7636bb54d74d1a1ead3288234a787c3b6d9c3d96e3584fc520088c97c98130e8fe030a1ee9551376b270f0ee5c6e53dd44581850e73abc9493d4cc7

Download Submit
memory/2348-0-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download
memory/2348-2-0x00000000046F0000-0x00000000047F0000-memory.dmp

Filesize
1024KB

Download
memory/2348-3-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2348-11-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download
memory/2348-16-0x00000000046F0000-0x00000000047F0000-memory.dmp

Filesize
1024KB

Download
memory/2392-12-0x0000000004710000-0x0000000004810000-memory.dmp

Filesize
1024KB

Download
memory/2392-13-0x0000000000020000-0x0000000000029000-memory.dmp

Filesize
36KB

Download
memory/2392-15-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download
memory/2392-19-0x0000000004710000-0x0000000004810000-memory.dmp

Filesize
1024KB

Download