systembc | 4aec64f64812b8ed41eebe2d561d166b6dc9c16f2a856f7d10408ec83f493c06

General

Target

bc6c722eaa639859b898de9e2ed17832.exe
Size

265KB
MD5

bc6c722eaa639859b898de9e2ed17832
SHA1

bff54c4071ffecf0e822faea1712cdf7c3770dd8
SHA256

4aec64f64812b8ed41eebe2d561d166b6dc9c16f2a856f7d10408ec83f493c06
SHA512

14c01897d4d4e5bc447b149b57d246914017a2b13116de7dd97352fdd4d6609c3b0e5819cdf272fdf4893ea6353eb4a306761dd78739dd8c02e435c02207dc13

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

194.33.45.6:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ipqrnr.exevrouk.exemwfrqn.exe

pid process

1656 ipqrnr.exe
1148 vrouk.exe
924 mwfrqn.exe

pid	process
1656	ipqrnr.exe
1148	vrouk.exe
924	mwfrqn.exe

Drops file in Windows directory 5 IoCs

Processes:

vrouk.exebc6c722eaa639859b898de9e2ed17832.exeipqrnr.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\mwfrqn.job	vrouk.exe
File created	C:\Windows\Tasks\ipqrnr.job	bc6c722eaa639859b898de9e2ed17832.exe
File opened for modification	C:\Windows\Tasks\ipqrnr.job	bc6c722eaa639859b898de9e2ed17832.exe
File created	C:\Windows\Tasks\pdfxpfmsvnftbcjwogk.job	ipqrnr.exe
File created	C:\Windows\Tasks\mwfrqn.job	vrouk.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bc6c722eaa639859b898de9e2ed17832.exevrouk.exe

pid process

1492 bc6c722eaa639859b898de9e2ed17832.exe
1148 vrouk.exe

pid	process
1492	bc6c722eaa639859b898de9e2ed17832.exe
1148	vrouk.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1576 wrote to memory of 1656	1576	taskeng.exe	ipqrnr.exe
PID 1576 wrote to memory of 1656	1576	taskeng.exe	ipqrnr.exe
PID 1576 wrote to memory of 1656	1576	taskeng.exe	ipqrnr.exe
PID 1576 wrote to memory of 1656	1576	taskeng.exe	ipqrnr.exe
PID 1576 wrote to memory of 1148	1576	taskeng.exe	vrouk.exe
PID 1576 wrote to memory of 1148	1576	taskeng.exe	vrouk.exe
PID 1576 wrote to memory of 1148	1576	taskeng.exe	vrouk.exe
PID 1576 wrote to memory of 1148	1576	taskeng.exe	vrouk.exe
PID 1576 wrote to memory of 924	1576	taskeng.exe	mwfrqn.exe
PID 1576 wrote to memory of 924	1576	taskeng.exe	mwfrqn.exe
PID 1576 wrote to memory of 924	1576	taskeng.exe	mwfrqn.exe
PID 1576 wrote to memory of 924	1576	taskeng.exe	mwfrqn.exe

C:\Users\Admin\AppData\Local\Temp\bc6c722eaa639859b898de9e2ed17832.exe
"C:\Users\Admin\AppData\Local\Temp\bc6c722eaa639859b898de9e2ed17832.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\Windows\system32\taskeng.exe
taskeng.exe {1DB10330-8240-4569-B5E9-89323491BBE6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\ProgramData\fehd\ipqrnr.exe
C:\ProgramData\fehd\ipqrnr.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656

C:\Windows\TEMP\vrouk.exe
C:\Windows\TEMP\vrouk.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1148

C:\ProgramData\pdeoab\mwfrqn.exe
C:\ProgramData\pdeoab\mwfrqn.exe start
2⤵
- Executes dropped EXE
PID:924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fehd\ipqrnr.exe
MD5
bc6c722eaa639859b898de9e2ed17832

SHA1
bff54c4071ffecf0e822faea1712cdf7c3770dd8

SHA256
4aec64f64812b8ed41eebe2d561d166b6dc9c16f2a856f7d10408ec83f493c06

SHA512
14c01897d4d4e5bc447b149b57d246914017a2b13116de7dd97352fdd4d6609c3b0e5819cdf272fdf4893ea6353eb4a306761dd78739dd8c02e435c02207dc13

Download Submit
C:\ProgramData\fehd\ipqrnr.exe
MD5
bc6c722eaa639859b898de9e2ed17832

SHA1
bff54c4071ffecf0e822faea1712cdf7c3770dd8

SHA256
4aec64f64812b8ed41eebe2d561d166b6dc9c16f2a856f7d10408ec83f493c06

SHA512
14c01897d4d4e5bc447b149b57d246914017a2b13116de7dd97352fdd4d6609c3b0e5819cdf272fdf4893ea6353eb4a306761dd78739dd8c02e435c02207dc13

Download Submit
C:\ProgramData\pdeoab\mwfrqn.exe
MD5
a005211bae8b6bbc266c5e3f0843df83

SHA1
313fcb993ebef050080a6bafb2e8ca58aab33659

SHA256
9e134bdcaba518ff1d32566c2ad42699ded12bd76fcb4b56e3f29ac158e47efb

SHA512
2d5b11119f2f6e37b2f6fc3d23854130951067685de186911ec7b0931b446f4a4093d5f6ddb2304aea1ced0b0ddb20d3bebae7cbeb5acc7853c9cbc6cc600eb1

Download Submit
C:\ProgramData\pdeoab\mwfrqn.exe
MD5
a005211bae8b6bbc266c5e3f0843df83

SHA1
313fcb993ebef050080a6bafb2e8ca58aab33659

SHA256
9e134bdcaba518ff1d32566c2ad42699ded12bd76fcb4b56e3f29ac158e47efb

SHA512
2d5b11119f2f6e37b2f6fc3d23854130951067685de186911ec7b0931b446f4a4093d5f6ddb2304aea1ced0b0ddb20d3bebae7cbeb5acc7853c9cbc6cc600eb1

Download Submit
C:\Windows\TEMP\vrouk.exe
MD5
a005211bae8b6bbc266c5e3f0843df83

SHA1
313fcb993ebef050080a6bafb2e8ca58aab33659

SHA256
9e134bdcaba518ff1d32566c2ad42699ded12bd76fcb4b56e3f29ac158e47efb

SHA512
2d5b11119f2f6e37b2f6fc3d23854130951067685de186911ec7b0931b446f4a4093d5f6ddb2304aea1ced0b0ddb20d3bebae7cbeb5acc7853c9cbc6cc600eb1

Download Submit
C:\Windows\Tasks\ipqrnr.job
MD5
2fee8d2276586f064721c17563143c6b

SHA1
787efdce8db3c984406d0dc04137360adfd6b706

SHA256
c3723e36b79e3481caa85c03c568da322dae30f747d7a173525417d0603fde6c

SHA512
97573a5f5300d1dc578482aa91af617ea3ee39163c0d9e158d191dc37304dd26e86a587de2b66b5a8e086152dd8d4cb127096b5b63261f8709135a3a70152139

Download Submit
C:\Windows\Temp\vrouk.exe
MD5
a005211bae8b6bbc266c5e3f0843df83

SHA1
313fcb993ebef050080a6bafb2e8ca58aab33659

SHA256
9e134bdcaba518ff1d32566c2ad42699ded12bd76fcb4b56e3f29ac158e47efb

SHA512
2d5b11119f2f6e37b2f6fc3d23854130951067685de186911ec7b0931b446f4a4093d5f6ddb2304aea1ced0b0ddb20d3bebae7cbeb5acc7853c9cbc6cc600eb1

Download Submit
memory/1148-69-0x0000000000400000-0x0000000002C26000-memory.dmp

Filesize
40.1MB

Download
memory/1148-67-0x00000000002E0000-0x00000000002E9000-memory.dmp

Filesize
36KB

Download
memory/1492-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1492-55-0x0000000000620000-0x000000000064F000-memory.dmp

Filesize
188KB

Download
memory/1492-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1492-56-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download
memory/1656-63-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1656-61-0x0000000000590000-0x00000000005BF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing