systembc | f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

General

Target

socks_crypt_update.exe
Size

317KB
MD5

8f94de248d86fc855da27f403fca561f
SHA1

0ebd03d681c58e8431c761f695e49682860137f5
SHA256

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11
SHA512

ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

186.2.171.65:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

uitj.exepcxjgbx.exemofkctp.exe

pid process

544 uitj.exe
1384 pcxjgbx.exe
1004 mofkctp.exe

pid	process
544	uitj.exe
1384	pcxjgbx.exe
1004	mofkctp.exe

Drops file in Windows directory 5 IoCs

Processes:

socks_crypt_update.exeuitj.exepcxjgbx.exe

description	ioc	process
File created	C:\Windows\Tasks\uitj.job	socks_crypt_update.exe
File opened for modification	C:\Windows\Tasks\uitj.job	socks_crypt_update.exe
File created	C:\Windows\Tasks\pwvrjphnfldjbhxfvet.job	uitj.exe
File created	C:\Windows\Tasks\mofkctp.job	pcxjgbx.exe
File opened for modification	C:\Windows\Tasks\mofkctp.job	pcxjgbx.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

socks_crypt_update.exepcxjgbx.exe

pid process

1664 socks_crypt_update.exe
1384 pcxjgbx.exe

pid	process
1664	socks_crypt_update.exe
1384	pcxjgbx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 520 wrote to memory of 544	520	taskeng.exe	uitj.exe
PID 520 wrote to memory of 544	520	taskeng.exe	uitj.exe
PID 520 wrote to memory of 544	520	taskeng.exe	uitj.exe
PID 520 wrote to memory of 544	520	taskeng.exe	uitj.exe
PID 520 wrote to memory of 1384	520	taskeng.exe	pcxjgbx.exe
PID 520 wrote to memory of 1384	520	taskeng.exe	pcxjgbx.exe
PID 520 wrote to memory of 1384	520	taskeng.exe	pcxjgbx.exe
PID 520 wrote to memory of 1384	520	taskeng.exe	pcxjgbx.exe
PID 520 wrote to memory of 1004	520	taskeng.exe	mofkctp.exe
PID 520 wrote to memory of 1004	520	taskeng.exe	mofkctp.exe
PID 520 wrote to memory of 1004	520	taskeng.exe	mofkctp.exe
PID 520 wrote to memory of 1004	520	taskeng.exe	mofkctp.exe

C:\Users\Admin\AppData\Local\Temp\socks_crypt_update.exe
"C:\Users\Admin\AppData\Local\Temp\socks_crypt_update.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1664

C:\Windows\system32\taskeng.exe
taskeng.exe {4806D8CF-0EDB-457F-A522-9E17F08678B7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\ProgramData\clqqiib\uitj.exe
C:\ProgramData\clqqiib\uitj.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:544

C:\Windows\TEMP\pcxjgbx.exe
C:\Windows\TEMP\pcxjgbx.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1384

C:\ProgramData\ggtlx\mofkctp.exe
C:\ProgramData\ggtlx\mofkctp.exe start
2⤵
- Executes dropped EXE
PID:1004

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\clqqiib\uitj.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\clqqiib\uitj.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\ggtlx\mofkctp.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\ggtlx\mofkctp.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\TEMP\pcxjgbx.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\Tasks\uitj.job
MD5
0c8e5e1d534509e28ca6d53a0ab7c973

SHA1
9e722b0c6aaecb50b95a7c9188c397d36a4d52fa

SHA256
9451507e3f00782339176a5215be869b5081c06a4301021b676abeb0671e571e

SHA512
0ff4a33abc509becbfc949b2d56f35789dc666c2137cbbd9412635cdd9c60727b376ade69c5efd482a5f8ed0a595a050644521401f2cf2c090543c3b3961afcb

Download Submit
C:\Windows\Temp\pcxjgbx.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
memory/544-61-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1384-66-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1664-54-0x00000000754B1000-0x00000000754B3000-memory.dmp

Filesize
8KB

Download
memory/1664-57-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1664-56-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1664-55-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing