systembc | c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6

Resubmissions

07-05-2024 12:41

240507-pw76rsgb4w 10

07-05-2024 12:41

07-05-2024 12:41

07-05-2024 12:41

07-05-2024 12:41

25-04-2024 13:13

Analysis

max time kernel
299s
max time network
303s
platform
windows11-21h2_x64
resource
win11-20240412-en
resource tags

arch:x64arch:x86image:win11-20240412-enlocale:en-usos:windows11-21h2-x64system
submitted
25-04-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
Size

30KB
MD5

8f1bc2c9a71086445255730d272a3408
SHA1

7ab7a0e541850c5729d495097e0d7901771dc8b9
SHA256

c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6
SHA512

3dbfe018e29f014da1f6df132add029ce888d45ed5e22579c060a0a7b32f335433825c2bc41b96ebaafa2830a38bc45caaf656f6d4da67aea7698fc96a1bd6f0
SSDEEP

768:4TwkPr8C6fuFdaAna6DCPt34GuYY92rjnPoJlzcamI1:MV8C6fuFdaz6+O1n2rjnPo7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

pzlkxadvert475.xyz:4044

pzfdmserv275.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
4988	tpjcnxc.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	api.ipify.org
2	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\tpjcnxc.job	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
File created	C:\Windows\Tasks\tpjcnxc.job	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2548	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
2548	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe

C:\Users\Admin\AppData\Local\Temp\c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
"C:\Users\Admin\AppData\Local\Temp\c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2548

C:\ProgramData\kqktw\tpjcnxc.exe
C:\ProgramData\kqktw\tpjcnxc.exe start
1⤵
- Executes dropped EXE
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kqktw\tpjcnxc.exe

Filesize
30KB

MD5
8f1bc2c9a71086445255730d272a3408

SHA1
7ab7a0e541850c5729d495097e0d7901771dc8b9

SHA256
c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6

SHA512
3dbfe018e29f014da1f6df132add029ce888d45ed5e22579c060a0a7b32f335433825c2bc41b96ebaafa2830a38bc45caaf656f6d4da67aea7698fc96a1bd6f0

Download Submit