systembc | 8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

General

Target

8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe
Size

232KB
MD5

ce591b70c7652020600bf6a1a921caf9
SHA1

eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2
SHA256

8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9
SHA512

86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rcdf.exevsdl.exephks.exe

pid process

2308 rcdf.exe
4256 vsdl.exe
3564 phks.exe

pid	process
2308	rcdf.exe
4256	vsdl.exe
3564	phks.exe

Drops file in Windows directory 5 IoCs

Processes:

vsdl.exe8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exercdf.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\phks.job	vsdl.exe
File created	C:\Windows\Tasks\rcdf.job	8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe
File opened for modification	C:\Windows\Tasks\rcdf.job	8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe
File created	C:\Windows\Tasks\pnmtcjrebjqxgntcjqw.job	rcdf.exe
File created	C:\Windows\Tasks\phks.job	vsdl.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

556 4288 WerFault.exe 8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe

pid	pid_target	process	target process
556	4288	WerFault.exe	8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exevsdl.exe

pid	process
4288	8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe
4288	8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe
4256	vsdl.exe
4256	vsdl.exe

C:\Users\Admin\AppData\Local\Temp\8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe
"C:\Users\Admin\AppData\Local\Temp\8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 948
2⤵
- Program crash
PID:556

C:\ProgramData\fegwbmu\rcdf.exe
C:\ProgramData\fegwbmu\rcdf.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4288 -ip 4288
1⤵
PID:216

C:\Windows\TEMP\vsdl.exe
C:\Windows\TEMP\vsdl.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\ProgramData\mbawxj\phks.exe
C:\ProgramData\mbawxj\phks.exe start
1⤵
- Executes dropped EXE
PID:3564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fegwbmu\rcdf.exe
MD5
ce591b70c7652020600bf6a1a921caf9

SHA1
eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2

SHA256
8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

SHA512
86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Download Submit
C:\ProgramData\fegwbmu\rcdf.exe
MD5
ce591b70c7652020600bf6a1a921caf9

SHA1
eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2

SHA256
8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

SHA512
86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Download Submit
C:\ProgramData\mbawxj\phks.exe
MD5
ce591b70c7652020600bf6a1a921caf9

SHA1
eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2

SHA256
8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

SHA512
86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Download Submit
C:\ProgramData\mbawxj\phks.exe
MD5
ce591b70c7652020600bf6a1a921caf9

SHA1
eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2

SHA256
8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

SHA512
86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Download Submit
C:\Windows\TEMP\vsdl.exe
MD5
ce591b70c7652020600bf6a1a921caf9

SHA1
eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2

SHA256
8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

SHA512
86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Download Submit
C:\Windows\Tasks\rcdf.job
MD5
52f3573e1737c7d0ae5e5055553c934d

SHA1
1a1d22ad507349c8e86635e1f2df5cb7334c6335

SHA256
a201abe9abde4f1a4abbf38dbfe4b822859a124a3454b3c2cbe4cf06c7c3c6db

SHA512
c63291f15b571c72a89ea4f0b71c1cd7d2e69598adeb9823201b4d1cb59c9a17f3bfb89b51a47ba442065bc38580e21613798f523a48b1c5855d08a30079e7a4

Download Submit
C:\Windows\Temp\vsdl.exe
MD5
ce591b70c7652020600bf6a1a921caf9

SHA1
eaa943f12b21ce0f8229bd9d1ada80f5d7201bb2

SHA256
8f7121a958df11aa43e815ca7a817855f0b9c110dc2b04218e2d2cf70af183a9

SHA512
86691bc1cab89d29b71e2da4d8c48de571c3c9f12f15a57efc874a4dd415dec0099aabacbce37ca30e18d3ac724ad690a8b06ec841997e380662b6c163727955

Download Submit
memory/2308-138-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/2308-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2308-136-0x0000000000685000-0x000000000068E000-memory.dmp

Filesize
36KB

Download
memory/2308-137-0x0000000000685000-0x000000000068E000-memory.dmp

Filesize
36KB

Download
memory/3564-148-0x00000000004D5000-0x00000000004DE000-memory.dmp

Filesize
36KB

Download
memory/3564-150-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3564-149-0x00000000004D5000-0x00000000004DE000-memory.dmp

Filesize
36KB

Download
memory/4256-142-0x00000000006D5000-0x00000000006DE000-memory.dmp

Filesize
36KB

Download
memory/4256-144-0x00000000006D5000-0x00000000006DE000-memory.dmp

Filesize
36KB

Download
memory/4256-145-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4288-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4288-131-0x0000000000539000-0x0000000000542000-memory.dmp

Filesize
36KB

Download
memory/4288-132-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/4288-130-0x0000000000539000-0x0000000000542000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing