systembc | b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf

General

Target

b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe
Size

713KB
MD5

a692018d2b9c401318fe8e49903c8e7f
SHA1

c443761f15cd362b6aff6aa1dc17a3127e9527a6
SHA256

b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf
SHA512

4be1b1a95c56cdb9e2b0e9c3ca4b235911da1c4a881f37d44ced0bc55a6a49b64244814089487c23a90a360a9f4eb57005efb2b0cdd668ef5df1afd03b0e5baa

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

mainscpnl.xyz:4207

backpscpnl.xyz:4207

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

xxxd.exexxxd.exe

pid process

4268 xxxd.exe
1040 xxxd.exe
Deletes itself 1 IoCs

Processes:

xxxd.exe

pid process

4268 xxxd.exe

pid	process
4268	xxxd.exe
1040	xxxd.exe

pid	process
4268	xxxd.exe

Drops file in System32 directory 6 IoCs

Processes:

b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exexxxd.exexxxd.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-38264034-163ACEA1-2953F590}.Language	b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-38264034-163ACEA1-2953F590}.Extensions	xxxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-38264034-163ACEA1-2953F590}.Language	xxxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-38264034-163ACEA1-2953F590}.Extensions	xxxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-38264034-163ACEA1-2953F590}.Language	xxxd.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-38264034-163ACEA1-2953F590}.Extensions	b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe

Drops file in Windows directory 5 IoCs

Processes:

xxxd.exeb297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exeb297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	xxxd.exe
File opened for modification	C:\Windows\Tasks\wow64.job	xxxd.exe
File created	C:\Windows\Tasks\wow64.job	b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe
File opened for modification	C:\Windows\Tasks\wow64.job	b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe
File created	C:\Windows\Tasks\albtmfwcunuaruorlev.job	b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe

C:\Users\Admin\AppData\Local\Temp\b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe
"C:\Users\Admin\AppData\Local\Temp\b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe"
1⤵
- Drops file in Windows directory
PID:3604

C:\Users\Admin\AppData\Local\Temp\b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe
C:\Users\Admin\AppData\Local\Temp\b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf.exe start
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:4056

C:\Windows\TEMP\xxxd.exe
C:\Windows\TEMP\xxxd.exe
1⤵
- Executes dropped EXE
- Deletes itself
- Drops file in System32 directory
- Drops file in Windows directory
PID:4268

C:\Windows\TEMP\xxxd.exe
C:\Windows\TEMP\xxxd.exe start
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\TEMP\xxxd.exe

MD5
a692018d2b9c401318fe8e49903c8e7f

SHA1
c443761f15cd362b6aff6aa1dc17a3127e9527a6

SHA256
b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf

SHA512
4be1b1a95c56cdb9e2b0e9c3ca4b235911da1c4a881f37d44ced0bc55a6a49b64244814089487c23a90a360a9f4eb57005efb2b0cdd668ef5df1afd03b0e5baa

Download Submit
C:\Windows\Tasks\wow64.job

MD5
692c72168532f49377781597a9b56492

SHA1
488df085d3e696ed07d4da9804dc69ec7e945e15

SHA256
66bb3e439c03952c4d22398cd7fc5d02002fc05c4aad3985a50dcc02bf08315b

SHA512
b552358dc8890e371a5c997c90dccf2545aede7fd22c081c6fde93b811cd89e3ca22c45330c2ee7f3cb3140dedd6d05330f9eb20eaf88d275f04b4bfe92b5a90

Download Submit
C:\Windows\Temp\xxxd.exe

MD5
a692018d2b9c401318fe8e49903c8e7f

SHA1
c443761f15cd362b6aff6aa1dc17a3127e9527a6

SHA256
b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf

SHA512
4be1b1a95c56cdb9e2b0e9c3ca4b235911da1c4a881f37d44ced0bc55a6a49b64244814089487c23a90a360a9f4eb57005efb2b0cdd668ef5df1afd03b0e5baa

Download Submit
C:\Windows\Temp\xxxd.exe

MD5
a692018d2b9c401318fe8e49903c8e7f

SHA1
c443761f15cd362b6aff6aa1dc17a3127e9527a6

SHA256
b297268489b285cb347ca9a7efc9339d36505e61bfd9b29719321e4164c8c9cf

SHA512
4be1b1a95c56cdb9e2b0e9c3ca4b235911da1c4a881f37d44ced0bc55a6a49b64244814089487c23a90a360a9f4eb57005efb2b0cdd668ef5df1afd03b0e5baa

Download Submit
memory/1040-158-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1040-157-0x00000000011F0000-0x000000000122B000-memory.dmp

Filesize
236KB

Download
memory/1040-152-0x0000000001190000-0x0000000001197000-memory.dmp

Filesize
28KB

Download
memory/1040-151-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1040-150-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/1040-149-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/3604-120-0x0000000000850000-0x0000000000857000-memory.dmp

Filesize
28KB

Download
memory/3604-115-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/3604-119-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download
memory/3604-118-0x00000000007A0000-0x00000000008EA000-memory.dmp

Filesize
1.3MB

Download
memory/3604-117-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/3604-116-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4056-126-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4056-134-0x00000000007A0000-0x00000000008EA000-memory.dmp

Filesize
1.3MB

Download
memory/4056-133-0x00000000007A0000-0x00000000008EA000-memory.dmp

Filesize
1.3MB

Download
memory/4056-128-0x00000000011C0000-0x00000000011C7000-memory.dmp

Filesize
28KB

Download
memory/4056-127-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4056-125-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4268-140-0x0000000001170000-0x0000000001177000-memory.dmp

Filesize
28KB

Download
memory/4268-139-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4268-146-0x00000000011D0000-0x000000000120B000-memory.dmp

Filesize
236KB

Download
memory/4268-147-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4268-138-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download
memory/4268-137-0x0000000000400000-0x0000000000598000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing