systembc | c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6

Resubmissions

07-05-2024 12:41

240507-pw76rsgb4w 10

07-05-2024 12:41

07-05-2024 12:41

07-05-2024 12:41

07-05-2024 12:41

25-04-2024 13:13

Analysis

max time kernel
591s
max time network
596s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
Size

30KB
MD5

8f1bc2c9a71086445255730d272a3408
SHA1

7ab7a0e541850c5729d495097e0d7901771dc8b9
SHA256

c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6
SHA512

3dbfe018e29f014da1f6df132add029ce888d45ed5e22579c060a0a7b32f335433825c2bc41b96ebaafa2830a38bc45caaf656f6d4da67aea7698fc96a1bd6f0
SSDEEP

768:4TwkPr8C6fuFdaAna6DCPt34GuYY92rjnPoJlzcamI1:MV8C6fuFdaz6+O1n2rjnPo7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

pzlkxadvert475.xyz:4044

pzfdmserv275.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2648	gvuroxc.exe

Unexpected DNS network traffic destination 1 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

description	ioc
Destination IP	88.198.207.48

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.ipify.org
5	api.ipify.org
6	ip4.seeip.org
7	ip4.seeip.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\gvuroxc.job	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
File opened for modification	C:\Windows\Tasks\gvuroxc.job	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2700	c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2648	2080	taskeng.exe	29
PID 2080 wrote to memory of 2648	2080	taskeng.exe	29
PID 2080 wrote to memory of 2648	2080	taskeng.exe	29
PID 2080 wrote to memory of 2648	2080	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe
"C:\Users\Admin\AppData\Local\Temp\c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {242EC31B-0357-4FF0-A364-0FE80B0386D5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2080
- C:\ProgramData\wxlam\gvuroxc.exe
  C:\ProgramData\wxlam\gvuroxc.exe start
  2⤵
  - Executes dropped EXE
  PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wxlam\gvuroxc.exe

Filesize
30KB

MD5
8f1bc2c9a71086445255730d272a3408

SHA1
7ab7a0e541850c5729d495097e0d7901771dc8b9

SHA256
c04fb7e860702a4c70586b4b15fb2a12a6821bf0a7e4e95dd8759ca1985c7dd6

SHA512
3dbfe018e29f014da1f6df132add029ce888d45ed5e22579c060a0a7b32f335433825c2bc41b96ebaafa2830a38bc45caaf656f6d4da67aea7698fc96a1bd6f0

Download Submit