systembc | 365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08

Resubmissions

17/04/2024, 09:29

240417-lf1vzaah95 10

17/04/2024, 09:29

17/04/2024, 09:29

17/04/2024, 09:28

17/04/2024, 09:28

16/04/2024, 13:46

Analysis

max time kernel
1789s
max time network
1792s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17/04/2024, 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
Size

30KB
MD5

2ad2c7b5700f4246447b90f07ec5359b
SHA1

e9bf283f6dba0c0707a748fbd4a7c6f0c330f7d7
SHA256

365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08
SHA512

625090c4b634c6d95b08bc8965d7445307c242ca9d6fb9e17cf402e82de317c33b21a3a894ec9ff12fbffa2c4fd17d7647c5db3414b81c6f48f565dd2257214c
SSDEEP

768:j4Fd5REMkNoYKNen9OztmVWj9n52yoJImwJcaP:+1EMkNoxMgYVen0yoif

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

gmstar23.xyz:4044

scgsdstat14tp.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Contacts a large (812) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2632	qninnur.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.216.223.3

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\qninnur.job	365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
File opened for modification	C:\Windows\Tasks\qninnur.job	365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2236	365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2632	2532	taskeng.exe	29
PID 2532 wrote to memory of 2632	2532	taskeng.exe	29
PID 2532 wrote to memory of 2632	2532	taskeng.exe	29
PID 2532 wrote to memory of 2632	2532	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe
"C:\Users\Admin\AppData\Local\Temp\365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2236

C:\Windows\system32\taskeng.exe
taskeng.exe {CA409404-58A5-4513-AEE8-E12D4B94187E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\ProgramData\umthi\qninnur.exe
  C:\ProgramData\umthi\qninnur.exe start
  2⤵
  - Executes dropped EXE
  PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\umthi\qninnur.exe

Filesize
30KB

MD5
2ad2c7b5700f4246447b90f07ec5359b

SHA1
e9bf283f6dba0c0707a748fbd4a7c6f0c330f7d7

SHA256
365d71d6a6fbc9bbb7efee8d4dd142555708c43b93721f86bbdf1f2f42cd6b08

SHA512
625090c4b634c6d95b08bc8965d7445307c242ca9d6fb9e17cf402e82de317c33b21a3a894ec9ff12fbffa2c4fd17d7647c5db3414b81c6f48f565dd2257214c

Download Submit