systembc | 399d335502736eef61d1377630acc60bc88d5857e13a4500e3175a0a70dd1152

Analysis

max time kernel
120s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d57aaeb136d7e63d4a390c0a031f300N.exe
Size

1.0MB
MD5

5d57aaeb136d7e63d4a390c0a031f300
SHA1

91dfc3a88b14597d0834451df07bd4af7716c7b3
SHA256

399d335502736eef61d1377630acc60bc88d5857e13a4500e3175a0a70dd1152
SHA512

b1f1e437e6df82a0429c0c8467b8b221c10284bc423555d2e025224c2e8deb7af468573a9202d599bc914e1b143c841d65178e09d2a0e4fadd1e030a6a92c78c
SSDEEP

6144:X9mI/A/bpCQqR5yqL5pbqD8T/ruThC711qC711f:X9ro/4QqLrqDC/ru8PDPf

Score

10^/10

systembc discovery trojan

Malware Config

Extracted

Family

systembc

yan0212.com:4039

yan0212.net:4039

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
5088	avhqqm.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	api.ipify.org
31	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\avhqqm.job	5d57aaeb136d7e63d4a390c0a031f300N.exe
File opened for modification	C:\Windows\Tasks\avhqqm.job	5d57aaeb136d7e63d4a390c0a031f300N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3212	5052	WerFault.exe	90

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5d57aaeb136d7e63d4a390c0a031f300N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	avhqqm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5052	5d57aaeb136d7e63d4a390c0a031f300N.exe
5052	5d57aaeb136d7e63d4a390c0a031f300N.exe

C:\Users\Admin\AppData\Local\Temp\5d57aaeb136d7e63d4a390c0a031f300N.exe
"C:\Users\Admin\AppData\Local\Temp\5d57aaeb136d7e63d4a390c0a031f300N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5052
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5052 -s 948
  2⤵
  - Program crash
  PID:3212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3824,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:4588

C:\ProgramData\ubdfhik\avhqqm.exe
C:\ProgramData\ubdfhik\avhqqm.exe start
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5052 -ip 5052
1⤵
PID:3300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ubdfhik\avhqqm.exe

Filesize
1.0MB

MD5
5d57aaeb136d7e63d4a390c0a031f300

SHA1
91dfc3a88b14597d0834451df07bd4af7716c7b3

SHA256
399d335502736eef61d1377630acc60bc88d5857e13a4500e3175a0a70dd1152

SHA512
b1f1e437e6df82a0429c0c8467b8b221c10284bc423555d2e025224c2e8deb7af468573a9202d599bc914e1b143c841d65178e09d2a0e4fadd1e030a6a92c78c

Download Submit
memory/5052-2-0x0000000004880000-0x0000000004980000-memory.dmp

Filesize
1024KB

Download
memory/5052-3-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/5052-4-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5052-0-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download
memory/5052-5-0x0000000004880000-0x0000000004980000-memory.dmp

Filesize
1024KB

Download
memory/5052-6-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/5052-9-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download
memory/5052-27-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/5052-26-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download
memory/5088-16-0x0000000000400000-0x00000000045E6000-memory.dmp

Filesize
65.9MB

Download