systembc | 1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

General

Target

23e0db71f3d2182bb78ed5aaed6dbe31.exe
Size

149KB
MD5

23e0db71f3d2182bb78ed5aaed6dbe31
SHA1

bdd3f63038f0c5cb80812289694da6e1d81b74ed
SHA256

1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84
SHA512

03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

45.156.26.59:4179

217.182.46.152:4179

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

lqvqmh.exelqvqmh.exe

pid process

1104 lqvqmh.exe
1120 lqvqmh.exe
Deletes itself 1 IoCs

Processes:

lqvqmh.exe

pid process

1104 lqvqmh.exe

pid	process
1104	lqvqmh.exe
1120	lqvqmh.exe

pid	process
1104	lqvqmh.exe

Drops file in Windows directory 5 IoCs

Processes:

23e0db71f3d2182bb78ed5aaed6dbe31.exe23e0db71f3d2182bb78ed5aaed6dbe31.exelqvqmh.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	23e0db71f3d2182bb78ed5aaed6dbe31.exe
File opened for modification	C:\Windows\Tasks\wow64.job	23e0db71f3d2182bb78ed5aaed6dbe31.exe
File created	C:\Windows\Tasks\blqgdxtpmifbvsokhdx.job	23e0db71f3d2182bb78ed5aaed6dbe31.exe
File created	C:\Windows\Tasks\wow64.job	lqvqmh.exe
File opened for modification	C:\Windows\Tasks\wow64.job	lqvqmh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1320 wrote to memory of 1660	1320	taskeng.exe	23e0db71f3d2182bb78ed5aaed6dbe31.exe
PID 1320 wrote to memory of 1660	1320	taskeng.exe	23e0db71f3d2182bb78ed5aaed6dbe31.exe
PID 1320 wrote to memory of 1660	1320	taskeng.exe	23e0db71f3d2182bb78ed5aaed6dbe31.exe
PID 1320 wrote to memory of 1660	1320	taskeng.exe	23e0db71f3d2182bb78ed5aaed6dbe31.exe
PID 1320 wrote to memory of 1104	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1104	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1104	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1104	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1120	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1120	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1120	1320	taskeng.exe	lqvqmh.exe
PID 1320 wrote to memory of 1120	1320	taskeng.exe	lqvqmh.exe

C:\Users\Admin\AppData\Local\Temp\23e0db71f3d2182bb78ed5aaed6dbe31.exe
"C:\Users\Admin\AppData\Local\Temp\23e0db71f3d2182bb78ed5aaed6dbe31.exe"
1⤵
- Drops file in Windows directory
PID:980

C:\Windows\system32\taskeng.exe
taskeng.exe {6B183ABE-2346-4FD6-B09D-9BF694D6C277} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Users\Admin\AppData\Local\Temp\23e0db71f3d2182bb78ed5aaed6dbe31.exe
  C:\Users\Admin\AppData\Local\Temp\23e0db71f3d2182bb78ed5aaed6dbe31.exe start
  2⤵
  - Drops file in Windows directory
  PID:1660
- C:\Windows\TEMP\lqvqmh.exe
  C:\Windows\TEMP\lqvqmh.exe
  2⤵
  - Executes dropped EXE
  - Deletes itself
  - Drops file in Windows directory
  PID:1104
- C:\Windows\TEMP\lqvqmh.exe
  C:\Windows\TEMP\lqvqmh.exe start
  2⤵
  - Executes dropped EXE
  PID:1120

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\lqvqmh.exe

MD5
23e0db71f3d2182bb78ed5aaed6dbe31

SHA1
bdd3f63038f0c5cb80812289694da6e1d81b74ed

SHA256
1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

SHA512
03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Download Submit
C:\Windows\Tasks\wow64.job

MD5
d862cc6979a6dcc5b7250e38953db168

SHA1
1e350cb8379f8d008dffdd5bbeee5884ba1ed3b1

SHA256
88fed503935834324c21b82cb401f1a33ad4dde4ce4c09383a169697acce53d6

SHA512
840c0248659ab0cd9be3df61417a70226f9385951a185a17b4454ca841af202f2f3580baeb7e51a252ac9103b4445d351aa2a2f02b5e8ba64b57be0b5f3f0967

Download Submit
C:\Windows\Temp\lqvqmh.exe

MD5
23e0db71f3d2182bb78ed5aaed6dbe31

SHA1
bdd3f63038f0c5cb80812289694da6e1d81b74ed

SHA256
1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

SHA512
03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Download Submit
C:\Windows\Temp\lqvqmh.exe

MD5
23e0db71f3d2182bb78ed5aaed6dbe31

SHA1
bdd3f63038f0c5cb80812289694da6e1d81b74ed

SHA256
1f65b5b41f6821ecb05aa14f391939ad2d527c7b1b48c377a5a4647051c5ae84

SHA512
03964f4dae03248bf3458d15334046632fc7ccc843f23f2b628a0e52aa162a347dfc5d7dd8307e98fa4e1cd17e9aa597513286859a6fbc2f9a124f9b54723ff3

Download Submit
memory/980-56-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/980-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/980-57-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/980-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1104-63-0x0000000000000000-mapping.dmp

Download
memory/1104-67-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1120-68-0x0000000000000000-mapping.dmp

Download
memory/1120-71-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1660-59-0x0000000000000000-mapping.dmp

Download
memory/1660-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing