systembc | f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

General

Target

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe
Size

317KB
MD5

8f94de248d86fc855da27f403fca561f
SHA1

0ebd03d681c58e8431c761f695e49682860137f5
SHA256

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11
SHA512

ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

186.2.171.65:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ndauw.exegibx.exeuabcn.exe

pid process

1464 ndauw.exe
1272 gibx.exe
2940 uabcn.exe

pid	process
1464	ndauw.exe
1272	gibx.exe
2940	uabcn.exe

Drops file in Windows directory 5 IoCs

Processes:

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exendauw.exegibx.exe

description	ioc	process
File created	C:\Windows\Tasks\ndauw.job	f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe
File opened for modification	C:\Windows\Tasks\ndauw.job	f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe
File created	C:\Windows\Tasks\xhdxgpnqxgocaruwpec.job	ndauw.exe
File created	C:\Windows\Tasks\uabcn.job	gibx.exe
File opened for modification	C:\Windows\Tasks\uabcn.job	gibx.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exegibx.exe

pid	process
3532	f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe
3532	f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe
1272	gibx.exe
1272	gibx.exe

C:\Users\Admin\AppData\Local\Temp\f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe
"C:\Users\Admin\AppData\Local\Temp\f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3532

C:\ProgramData\tviai\ndauw.exe
C:\ProgramData\tviai\ndauw.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1464

C:\Windows\TEMP\gibx.exe
C:\Windows\TEMP\gibx.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1272

C:\ProgramData\bqtoje\uabcn.exe
C:\ProgramData\bqtoje\uabcn.exe start
1⤵
- Executes dropped EXE
PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bqtoje\uabcn.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\bqtoje\uabcn.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\tviai\ndauw.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\tviai\ndauw.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\TEMP\gibx.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\Tasks\ndauw.job

MD5
1d91a7fea67d5cf9fcbe4dece27211e2

SHA1
2eab84956f3ab96f48f685c9d2f21991bf7e5855

SHA256
4f4b68256085995624e07063f13474e3fc9e2d2b82a50836f897cf12266662b7

SHA512
7f119ef4838204f91096cc27d1e4a82e9ef2d3f5575fbc2137266b4c3ea4e7aa8ab55c930fe5b71e2172b87c82f747f809268ce9bd2f6e3965b373ae4a1ce4e7

Download Submit
C:\Windows\Temp\gibx.exe

MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
memory/1272-124-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1464-120-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2940-127-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3532-116-0x00000000001C0000-0x00000000001C9000-memory.dmp

Filesize
36KB

Download
memory/3532-117-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3532-115-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing