systembc | f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

General

Target

socks_crypt_update.exe
Size

317KB
MD5

8f94de248d86fc855da27f403fca561f
SHA1

0ebd03d681c58e8431c761f695e49682860137f5
SHA256

f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11
SHA512

ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

186.2.171.65:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

nxdcau.exemhvudui.exehetris.exe

pid process

2012 nxdcau.exe
3988 mhvudui.exe
404 hetris.exe

pid	process
2012	nxdcau.exe
3988	mhvudui.exe
404	hetris.exe

Drops file in Windows directory 5 IoCs

Processes:

socks_crypt_update.exenxdcau.exemhvudui.exe

description	ioc	process
File created	C:\Windows\Tasks\nxdcau.job	socks_crypt_update.exe
File opened for modification	C:\Windows\Tasks\nxdcau.job	socks_crypt_update.exe
File created	C:\Windows\Tasks\wjruebjrlnhfipemlsm.job	nxdcau.exe
File created	C:\Windows\Tasks\hetris.job	mhvudui.exe
File opened for modification	C:\Windows\Tasks\hetris.job	mhvudui.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

socks_crypt_update.exemhvudui.exe

pid process

2328 socks_crypt_update.exe
2328 socks_crypt_update.exe
3988 mhvudui.exe
3988 mhvudui.exe

pid	process
2328	socks_crypt_update.exe
2328	socks_crypt_update.exe
3988	mhvudui.exe
3988	mhvudui.exe

C:\Users\Admin\AppData\Local\Temp\socks_crypt_update.exe
"C:\Users\Admin\AppData\Local\Temp\socks_crypt_update.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2328

C:\ProgramData\cnun\nxdcau.exe
C:\ProgramData\cnun\nxdcau.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2012

C:\Windows\TEMP\mhvudui.exe
C:\Windows\TEMP\mhvudui.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\ProgramData\xbrwdjt\hetris.exe
C:\ProgramData\xbrwdjt\hetris.exe start
1⤵
- Executes dropped EXE
PID:404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cnun\nxdcau.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\cnun\nxdcau.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\xbrwdjt\hetris.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\ProgramData\xbrwdjt\hetris.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\TEMP\mhvudui.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
C:\Windows\Tasks\nxdcau.job
MD5
a65c92893c3487c5e4fcda4f49469570

SHA1
11eaab2487aa0b1bb5eb852a35be30a798025291

SHA256
4590a41db5618498c87bb0f61c233675c93361c2abbd025c83355a2ffab7b110

SHA512
ee14598edff57c4c8074a1d7570e9c6d2dd85858803629da501469746b58f67db1415503d8a4d39098c1beaf5dde245ed4cad29f302dfc1312b861ceb76cb620

Download Submit
C:\Windows\Temp\mhvudui.exe
MD5
8f94de248d86fc855da27f403fca561f

SHA1
0ebd03d681c58e8431c761f695e49682860137f5

SHA256
f84a10e65b8b479c09668202550f40f3f7ccc5e3343e1a8ed6173e0873aefd11

SHA512
ad36cb1926ba630cb4441d3539295aee2cff164731fb6cdc061a3802e69f7e446b76f1012b1c1f2d0334a98d229e7479243afa4a5dc02e166662b72b27ec43fd

Download Submit
memory/404-131-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-124-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-123-0x00000000004A0000-0x00000000004A9000-memory.dmp

Filesize
36KB

Download
memory/2328-118-0x0000000000030000-0x0000000000038000-memory.dmp

Filesize
32KB

Download
memory/2328-120-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2328-119-0x00000000004B0000-0x000000000055E000-memory.dmp

Filesize
696KB

Download
memory/3988-128-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads