systembc | 572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

General

Target

572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe
Size

233KB
MD5

d5a1df9d234d4bb47628ca6f22b02c1a
SHA1

b685e795c9505b28d43de0879ec98b9ecab0e4e2
SHA256

572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead
SHA512

3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rnjw.exekjsfrui.exeqvhss.exe

pid process

1288 rnjw.exe
4040 kjsfrui.exe
1684 qvhss.exe

pid	process
1288	rnjw.exe
4040	kjsfrui.exe
1684	qvhss.exe

Drops file in Windows directory 5 IoCs

Processes:

572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exernjw.exekjsfrui.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\rnjw.job	572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe
File created	C:\Windows\Tasks\taswmnxjmanqeqejuin.job	rnjw.exe
File created	C:\Windows\Tasks\qvhss.job	kjsfrui.exe
File opened for modification	C:\Windows\Tasks\qvhss.job	kjsfrui.exe
File created	C:\Windows\Tasks\rnjw.job	572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3716 560 WerFault.exe 572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe

pid	pid_target	process	target process
3716	560	WerFault.exe	572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "0018400647F126EC"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\0018400647F126EC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000f15d99f85729b85ee22447d18330279d9cc4fd2bf2be33e34671aa38b3e33710000000000e8000000002000020000000a0b79a3690500b78fce7ae49548ee6225f5c0c78f6cb38aa00a81f3cb3faec55800000008b90e2651f93668ef481bd4910dea98d7058692c58e5a72e06c8e91b378bae03625312e80113c68a0eb68b69231fd0e232702fb1aefed0afa32df0ac26afbdfdaec34f39e702a40bf7ed1d37b37d11a85c329206beb9d5ecf367c876b39061b504bf4bc518e4d39e776b1ea60a988ac963fe93fe3c54d2a46cbbeed3f9b6de914000000063aaa3e396f04dbe8b3340e3d3dd30039fa7510336191e432abdd78cb4634b80320ec2805c1e58e4cc1d59b85cf5c0f7c207c773b3d4bf2cd5f4aaf789137556	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e0000000002000000000010660000000100002000000022232f9fcdd4f3cbbe25f3a51d8e7f724d691ee5bc7cccd8e32c0acc9174a334000000000e80000000020000200000006d8a2379cee628604c2f940321e11dac3e9bb7e81404f1e15b1f04976715c7e0100d0000164935e985737f92a508c3a5aa8399290a370a920202c61d875710f6760e465bd9b1346bb64d78b4e0783c09c2d574b217685c048535c7208b628384d1fda7f7710adc84fd12d710e4cc4f06987cad79eb373ca0ec9ee694af5a6016bcc282fddfeee34ac6fb691e90c17c112a1a0c3aaedae0c2427a2c87d3e7ee08045790efe6ba3ee24bc7265888aab218b16802f4bbb5442058eb4b115d87e3af31a04de12fada2b77308c183fd0f6b721323a7d87db9faefe6d542348414d1f35fc9517d2f2190bdffb0d1b401458db526a8e9c96690660cf43c2984a663f1fa5d6e58e75044f036f8214fc08366dd1e62b0bc2b58814dab3f7cc6c908b88f2d49cf8c80206428e1253505189b97ea5b16b96c033f3bc276338532cd654e3bb43bfc13d2aa28d4139d502f460c7b1ff755980d43ec567496f297da6924e724745db6e2ce98f121d87e221d40a8bbb5f440a69f11c4fcbc137d2f9e94f674970611dd1fbe10f72d99dcb40606940f605d0c7c2de387e56bd33357f4976454844cd00e3e0e02c4c76bd2a851cda5d5697937457e2641e5288d78f4a220f796f7a67998bdfaf142ef73f52b67f18ec2d60af589128661551ea3e5a5f3356eaab95f03c90c6246ee342695caaf78001d5bc92725a8cb22675f6a74e4fc6e8165b9ee8a71e77ceed55e72a25c7ace17b3f492fd6101900e9651f85cfe2bc9b3c752d8f5c1bc7fd99896ecd52ef58123392579c2b5d6eb36975dfe83b7f71ba81c46267e22cce411e304b4b7715956a27718600b07e25ef41478d6e8f5378abe29cdc292f1f9eafb9e85ae6f1dbfe27b60f4f8f9d00887668649731af5e438ee14c527638b7252ce573e569e554497ecd41ea6ce68528364bff52ecd6a4d3e04452392caab90bd7c5dbe1e5660e232599cc2a84fc2b539e8f92d1e8eeef6bc7fe16d9ae611af7ec0c4242c424e5c51be85c05f47bce081b27f79b1be315f720f31fd0cab1c5a2b74ef5b005570e93cb7fa1614c4ed3e89a816d5f3a6681cfd3896d25674aec1320385288cd4d66aa81ddde8d2bd081d32eb6a9e241e88d03c47733abd96e1df4d67e08b4bdceadb7f4515c457b3cb6d162cc9830fcad9abeb33e79c4141b0511bbbf514958bb1e46909f03cb43a89da4c889d6a4bc3c982fb358c4e03bb0d47b0e1b6588e9f7067a433a4ab6740fd2819ee27a0842594a4d58a7b43d1b898a90aa858bb9527192c7f4db47c81f2abbd49aac904779f12c5c7c428bfc76b97005341e855cb39d8936146b954026db593edda860f2eb6375fbd74338338b48e74a338d893e6b87d7690201e1d3d2ce837030df6de03138a58a46ecac1bf39ec31e2a9ebc314115623c30b70fc1d81c7ce696755b5947a6749890bb8770672c4e32dd280fa8e5b4b1123862ca887eaa6c63a80c6030058a55ffa7e5b82cfdad80a2cf112e062e16d98a7bd65905a6358c3e669e5fa34956e2c3566998c7fa07db22ed9db7aaf6b1b2fb7d124aa3e06f53af28da158ff3565a3f9a82fc935b88099b514761632d43a3d4fdad92f2df84b90f2c8f31ba46868dd755db6fe4244467428c340df4d21561005f9dc8799db09c943e8d95b1d45618d46cb59f7f299fa7a412fc01843ecc7903b25a1e38ca7b020aa971c7cd67b7af91f2bd5a302c17ab1b81681e3d0f457ed7003aa9e5285c10e5d13b691974409cbfca33db674ba063b44da5fdb2eb5be9b608d59cca281bb016010f05af4ff37a2693a849aa07733ca4e46856cf553108a1c724db8952118a3f92e93256464b5e4725988fa14db7236d7818ca8c3438b82273a09ee31a0bcbd59452bc49db029a18c3499cb10851d5f6ba04121428062fa825d99e7e6c61371ce217046a31b3738a44cd3692e1942d2450143cb4248e0fb56cf9c6d2114c187f2599ae792790030bb703ef0825fe86e76d012f75d0248d1d432167e7b656b5cecee5ebcdefb8921a9552402cfae99dd6b9d5650e20d1249f3c5b6939803491074e843fc77e5eaee6912440f5a66216f90a4be4dcdaabffe5719f9c3b707d36d495d6004a91fd738313c97775a7571b42e04ed6534f393bd0e270878ad1cb370bd99d3b2255f34dc1fe031a629d86b543f2a71838f67967e1be1c9bb279a1dcf6ea71a16104253acdc422fa3b7483174f6a228a61a536bf196cb716d1358ce49c5e569640b1bfea21e332628c5e97b01f05f6114f107d05c4b196198910cba068339838864e4ab1d2b5785fad4f19c54a29e5216b67d627cfa6e3d605868c49448c75c50efbe048596921dc1daceb4c0b7d0254d05c8ed4d9b048cfcd19f77abdafeef4af0984c21e495433d166c6776d60548d74e20641d1cea3dc90e3ef544246f7ec6848645f0c6b369fdda02352b2c1e96eb555bd5e7e0caa26cec594b4230fa4e3fd2f227b0aed5accd0aba7de6a59bd73f8379839ec23c869961de6ce09955af30851bf95862a044835d5f3e4828970c28c8627adca9ca9dbfc6948ab6d4bef12c7758e36bb7f89962e5136c05f419e659f06fccbc207465bdf11d8988af85539498416cf52fdd2409a7a1e76b5b1e1813dad60c03f8ea87c761d5f926f8f7ca00aa2fff3c604863a94b9c54db83a2916d82e3e516fa0f5a0e235e3740660eabdff0b7470b58d36ed20d5d33a689919f45bc136b1fcc0dc182c28167ae61f750f6803f5ccb229e6228aa40f8aa777e5ecf5cf3af50f6b1bcb4fef36700a5711e015e8844659897f553942dcf0c07ffaaac75b1828ba5a87035b7b43663501fc0bbb5af9e0a124b62ad5940ae7e6b1323e1f7110fb68d89dbbd5a866b13c06b62adf607f27d4c286bbf2533f5186ffd445a604e805a3d7cee78e9983df8709f935c3d7384e42f9e61cc73aad7aa621920d552de3a9d9334beca189887d5cf3ba331fff548d8c29e9c4b55d95771dbf6bbfd7238063a6f2f1e38b352f3a08c3007278935845bf98449312d799bf589cc1a98b92049a7e5cf2a910f32693e6163e8121079b7a9cff3abb051bc010827e5782f911d3861898ca135a00968592cbbad16c4b0f8afd3755c80cabde3ac1f7fb582b3d87def0b3c5778f44759c437cf3b2b1180a89cdcee4ed26ee69326f86a5ea4c3ac1d72c6b692a036dfd457b359de98acbbd1dd773feb224d4cfc4a3c0738a6af0cd885c455655ff93724eeb550168b0f64bd55fdd809a501f1a07229806ef5f66b311714203b67f94ebddf8f9ed10fc54d94da7e8114de98f282a4ee8acb0fdf5e945d944de657383bb3c77ec2ed42f3c4e5a9663f5fcb0d890779a7d0f19ac4f8f0f781e86401a812a25313e6cff8570317a138eb872445393a93c8709c1eeb28c1f518e264eeb542a47b17e00c22e8a2cc3808ef33a03fdefe9a32aa716d2047cba1ce659d4f37866ff889b5d923616f37652ace0d83a1e59d0d7be8d439a1456498bf7c8c62941004b1af50c1d57bd51a45a945677d931b5b0ffd9c572bd9b3cd9e7bc32bcde33a111c794896793f2a0f6dd82af2aafd0382aaa85f95b289689a9833dccceea80ba7366d0d665201d32d303fa32f898019bf94bc697555d2b738934673f3082e1b7f9735217787a6ab999ad1de3f28249a880254b91e466a9f597cf7c2c70d3fa3caaf7c074ee830e40367bc3128bd88c62fcfd44565e968f2ed88543950bf7dee2308665ddb171180b7e233b2ba9641fc4bb19a241e9067983a45d34f1ccd3cd66b594be35b443958a9442125393d2e0cf5ab07e6050bf660b788bd77966ab8932805909a2c0096981d1bdbf1b2104d0d2a6bd303ed2e2a798dcd6f6a5a79d58a689c9626eebfac128aa7b83d1cf4eb1cedeb5bbc1fc24204d040a7d80482f185c2cf7cbea6a77cd29dacccc4fe7bcb528ece29e4465494a07b1590e5c96a90c72e265f5b12d8ae8be000eda634cecd58bfcfe08f0986d1ff1567d1035ec4c21c2f7712c610bcdf215529d5ad5508894ff71e37181a28e170c1f9bc8dab6065da5ce836ee87e37afc82c1ada2b476ccab15e0c133d46bdb32ff59b4849fdbda3290f1edb82bc57c8ba68956c7b876a57e3ce81016c3956139d1e6c76872fef12f1c4261fd41a1ad27f4ac516a43e0ec81c81e5e0e6299d437f64f51b3a3da89ecccd07b95268dd37d2fc450890f21daf02499433fe6c36e5b2208345f590b03ce81f404d387a804e65c23431b58aeda25657b384d4dccf565f6563f47dbf4090995b3aecb33ae9e4ed077aa1a4d83fc12f556c87c41f3c706980f9f12442231c084670f5ffd570f815886448088a63dd757f45373853adf494b34aa5a6f9f346397dc35c84854ec66a5ccd663307f52ec52e586b48eac0587b303f85830cac5c20d389e421d1a9d476fd7a2e51afdb62bc12fc9dc5c248d784ab2365c46ea1091daa1b1b88424c73ebd42eeec66696d784834bd56730350fe465c8c6dea603549142bc0fd12e1700dcf8a965eb0cb8e5c112c1506372f521f9f4f999c9039f94224cc7986e061ff0ee57c54e5e2d8ed1c477d945487a0126043d0cfae3712023cd7adcd458f6f4881033a285800dd86b344ad395596045925275c3d422e3980f0ec5c069504171ad375a5f08a2c9597830a5c16bad7164624b430b3c13315d80f8a4e0bd05f5d5b7ac89d36ca80f6597f6f9ba330eb1eb81a595c65affb9eae0ca187c5c02dfa01b2771e578d296b986b6ceddb9ecf671f3d36e697a7541a2cffc6cc4e40000000d8cdee196b49295665d79d153fbf5d3fee369be47a9565bd7b36613129893cb509bc5dbbeac417b05af041526a48e18fd7288efd1da3ecbbbf7a6182d8961fab	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exekjsfrui.exe

pid	process
560	572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe
560	572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe
4040	kjsfrui.exe
4040	kjsfrui.exe

C:\Users\Admin\AppData\Local\Temp\572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe
"C:\Users\Admin\AppData\Local\Temp\572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 484
2⤵
- Program crash
PID:3716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4360

C:\ProgramData\aiuhro\rnjw.exe
C:\ProgramData\aiuhro\rnjw.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 560 -ip 560
1⤵
PID:1984

C:\Windows\TEMP\kjsfrui.exe
C:\Windows\TEMP\kjsfrui.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\ProgramData\eucekm\qvhss.exe
C:\ProgramData\eucekm\qvhss.exe start
1⤵
- Executes dropped EXE
PID:1684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aiuhro\rnjw.exe
MD5
d5a1df9d234d4bb47628ca6f22b02c1a

SHA1
b685e795c9505b28d43de0879ec98b9ecab0e4e2

SHA256
572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

SHA512
3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Download Submit
C:\ProgramData\aiuhro\rnjw.exe
MD5
d5a1df9d234d4bb47628ca6f22b02c1a

SHA1
b685e795c9505b28d43de0879ec98b9ecab0e4e2

SHA256
572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

SHA512
3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Download Submit
C:\ProgramData\eucekm\qvhss.exe
MD5
d5a1df9d234d4bb47628ca6f22b02c1a

SHA1
b685e795c9505b28d43de0879ec98b9ecab0e4e2

SHA256
572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

SHA512
3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Download Submit
C:\ProgramData\eucekm\qvhss.exe
MD5
d5a1df9d234d4bb47628ca6f22b02c1a

SHA1
b685e795c9505b28d43de0879ec98b9ecab0e4e2

SHA256
572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

SHA512
3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Download Submit
C:\Windows\TEMP\kjsfrui.exe
MD5
d5a1df9d234d4bb47628ca6f22b02c1a

SHA1
b685e795c9505b28d43de0879ec98b9ecab0e4e2

SHA256
572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

SHA512
3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Download Submit
C:\Windows\Tasks\rnjw.job
MD5
cb4887cd931ccca1c0f1089faa67489d

SHA1
73fa11c3db687e6f6ee9c76bb4483227e535407e

SHA256
e12bce70716f9ea07acf9696646114b25f5cce6e297aa7540069a5f4a233e40a

SHA512
9ecdbdcf9d8ea10a23d85cf31d624e0bf0e65743ffad1ba9790330388483789bde5c3d7c40c3c94a3924ff84e18e2667243a8da04adce340ba5ceadbb7fca815

Download Submit
C:\Windows\Temp\kjsfrui.exe
MD5
d5a1df9d234d4bb47628ca6f22b02c1a

SHA1
b685e795c9505b28d43de0879ec98b9ecab0e4e2

SHA256
572caae09650d4eba511615a5747c2f0eea16fa0146657bc5e82bac131288ead

SHA512
3b1683269f9077b045b74c31acb6cd7e94040fee7f8024fa74a3e68d07c971859daf718b7fb36a4cb57507b6287d937251a7e1fc3307fca16d60c4c5dcd420ac

Download Submit
memory/560-136-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/560-135-0x00000000004E9000-0x00000000004F2000-memory.dmp

Filesize
36KB

Download
memory/560-137-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/560-134-0x00000000004E9000-0x00000000004F2000-memory.dmp

Filesize
36KB

Download
memory/1288-141-0x00000000007B5000-0x00000000007BE000-memory.dmp

Filesize
36KB

Download
memory/1288-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1288-140-0x00000000007B5000-0x00000000007BE000-memory.dmp

Filesize
36KB

Download
memory/1684-151-0x0000000000505000-0x000000000050E000-memory.dmp

Filesize
36KB

Download
memory/1684-152-0x0000000000505000-0x000000000050E000-memory.dmp

Filesize
36KB

Download
memory/1684-153-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4040-145-0x0000000000695000-0x000000000069E000-memory.dmp

Filesize
36KB

Download
memory/4040-147-0x0000000000695000-0x000000000069E000-memory.dmp

Filesize
36KB

Download
memory/4040-148-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads