systembc | 1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

General

Target

soc.exe
Size

149KB
MD5

23e0db71f3d2182bb78ed5aaed6dbe31
SHA1

bdd3f63038f0c5cb80812289694da6e1d81b74ed
SHA256

1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84
SHA512

03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

45.156.26.59:4179

217.182.46.152:4179

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dhifaxv.exedhifaxv.exe

pid process

1624 dhifaxv.exe
1824 dhifaxv.exe
Deletes itself 1 IoCs

Processes:

dhifaxv.exe

pid process

1624 dhifaxv.exe

pid	process
1624	dhifaxv.exe
1824	dhifaxv.exe

pid	process
1624	dhifaxv.exe

Drops file in Windows directory 5 IoCs

Processes:

soc.exedhifaxv.exesoc.exe

description	ioc	process
File created	C:\Windows\Tasks\hhjhcqsrmgbxsjewrlg.job	soc.exe
File created	C:\Windows\Tasks\wow64.job	dhifaxv.exe
File opened for modification	C:\Windows\Tasks\wow64.job	dhifaxv.exe
File created	C:\Windows\Tasks\wow64.job	soc.exe
File opened for modification	C:\Windows\Tasks\wow64.job	soc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1420 wrote to memory of 1416	1420	taskeng.exe	soc.exe
PID 1420 wrote to memory of 1416	1420	taskeng.exe	soc.exe
PID 1420 wrote to memory of 1416	1420	taskeng.exe	soc.exe
PID 1420 wrote to memory of 1416	1420	taskeng.exe	soc.exe
PID 1420 wrote to memory of 1624	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1624	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1624	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1624	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1824	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1824	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1824	1420	taskeng.exe	dhifaxv.exe
PID 1420 wrote to memory of 1824	1420	taskeng.exe	dhifaxv.exe

C:\Users\Admin\AppData\Local\Temp\soc.exe
"C:\Users\Admin\AppData\Local\Temp\soc.exe"
1⤵
- Drops file in Windows directory
PID:1128

C:\Windows\system32\taskeng.exe
taskeng.exe {80D013EE-5E4B-4FC9-817B-79654DF2FCD7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Users\Admin\AppData\Local\Temp\soc.exe
  C:\Users\Admin\AppData\Local\Temp\soc.exe start
  2⤵
  - Drops file in Windows directory
  PID:1416
- C:\Windows\TEMP\dhifaxv.exe
  C:\Windows\TEMP\dhifaxv.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  PID:1624
- C:\Windows\TEMP\dhifaxv.exe
  C:\Windows\TEMP\dhifaxv.exe start
  2⤵
  - Executes dropped EXE
  PID:1824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\dhifaxv.exe

MD5
23e0db71f3d2182bb78ed5aaed6dbe31

SHA1
bdd3f63038f0c5cb80812289694da6e1d81b74ed

SHA256
1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

SHA512
03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Download Submit
C:\Windows\Tasks\wow64.job

MD5
009491ed0a41b761254a91eaa6c77459

SHA1
87426319729e7223e831ab55512c45117bb03a04

SHA256
2c58b3e7e3d70dd2250ffe7f92acd8f37417f9240cfb8849ffd4c841a3a4216c

SHA512
04e7c3cea156da7de2f6c8bc4faedcc4eb4bf967a44546d66f1e6b310ebd0a8c2739c3e4ca1fb72edafedc2671b4f86356b7a59b05a82debb4f70296d48941fd

Download Submit
C:\Windows\Temp\dhifaxv.exe

MD5
23e0db71f3d2182bb78ed5aaed6dbe31

SHA1
bdd3f63038f0c5cb80812289694da6e1d81b74ed

SHA256
1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

SHA512
03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Download Submit
C:\Windows\Temp\dhifaxv.exe

MD5
23e0db71f3d2182bb78ed5aaed6dbe31

SHA1
bdd3f63038f0c5cb80812289694da6e1d81b74ed

SHA256
1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

SHA512
03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Download Submit
memory/1128-57-0x0000000075F41000-0x0000000075F43000-memory.dmp

Filesize
8KB

Download
memory/1128-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1128-56-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1128-55-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1416-59-0x0000000000000000-mapping.dmp

Download
memory/1416-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1624-63-0x0000000000000000-mapping.dmp

Download
memory/1624-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1824-68-0x0000000000000000-mapping.dmp

Download
memory/1824-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing