systembc | 09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc

Resubmissions

17-04-2024 12:47

240417-p1aq3ahc4w 10

17-04-2024 12:47

17-04-2024 12:47

17-04-2024 12:46

17-04-2024 12:46

17-04-2024 06:16

Analysis

max time kernel
1800s
max time network
1803s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
17-04-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
Size

221KB
MD5

364d59e179ebcd469dce4f231789732d
SHA1

bc86ba43147fe0d301a32b66193dd2930b8af1d2
SHA256

09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc
SHA512

92ae882cb803b23dc344a42b07ffcc77999f71dcd6b7bf1d2ca7e7306a7642543a2cc85f2bdf18df67151a8b2145509363b2552d4e5361715bc55b934db046fe
SSDEEP

6144:0YlvDFWQtzoa2gUayZSSnBcaa5MKmtVgykK:BNtzPqUgkNM4

Score

10^/10

systembc discovery trojan upx

Malware Config

Extracted

Family

systembc

yan0212.com:4039

yan0212.net:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Contacts a large (729) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 1 IoCs

pid	Process
2572	cfhp.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000d0000000122f1-5.dat	upx

Unexpected DNS network traffic destination 2 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.216.223.2
Destination IP	88.216.223.5

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip4.seeip.org
5	api.ipify.org
6	api.ipify.org
7	ip4.seeip.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\cfhp.job	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
File opened for modification	C:\Windows\Tasks\cfhp.job	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2924	09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2572	2524	taskeng.exe	29
PID 2524 wrote to memory of 2572	2524	taskeng.exe	29
PID 2524 wrote to memory of 2572	2524	taskeng.exe	29
PID 2524 wrote to memory of 2572	2524	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe
"C:\Users\Admin\AppData\Local\Temp\09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Windows\system32\taskeng.exe
taskeng.exe {FD902CAA-C4DD-47BF-817D-505434303364} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\ProgramData\ojlatfj\cfhp.exe
  C:\ProgramData\ojlatfj\cfhp.exe start
  2⤵
  - Executes dropped EXE
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ojlatfj\cfhp.exe

Filesize
221KB

MD5
364d59e179ebcd469dce4f231789732d

SHA1
bc86ba43147fe0d301a32b66193dd2930b8af1d2

SHA256
09800c68e162c77868d7f4bf14cf89b63d4c3e62a3da81a21455633f469ffcdc

SHA512
92ae882cb803b23dc344a42b07ffcc77999f71dcd6b7bf1d2ca7e7306a7642543a2cc85f2bdf18df67151a8b2145509363b2552d4e5361715bc55b934db046fe

Download Submit
memory/2572-8-0x00000000002C0000-0x00000000002C9000-memory.dmp

Filesize
36KB

Download
memory/2572-10-0x0000000000400000-0x0000000004C6C000-memory.dmp

Filesize
72.4MB

Download
memory/2924-0-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/2924-1-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/2924-7-0x0000000000400000-0x0000000004C6C000-memory.dmp

Filesize
72.4MB

Download