systembc | 6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

General

Target

6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe
Size

233KB
MD5

f1aaf391cd3187ac41ade80b7520843e
SHA1

d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b
SHA256

6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365
SHA512

0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fxadrdg.execxdx.exeopvwh.exe

pid process

2736 fxadrdg.exe
1492 cxdx.exe
1264 opvwh.exe

pid	process
2736	fxadrdg.exe
1492	cxdx.exe
1264	opvwh.exe

Drops file in Windows directory 5 IoCs

Processes:

cxdx.exe6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exefxadrdg.exe

description	ioc	process
File created	C:\Windows\Tasks\opvwh.job	cxdx.exe
File opened for modification	C:\Windows\Tasks\opvwh.job	cxdx.exe
File created	C:\Windows\Tasks\fxadrdg.job	6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe
File opened for modification	C:\Windows\Tasks\fxadrdg.job	6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe
File created	C:\Windows\Tasks\ooxxgveftiwmcqgukao.job	fxadrdg.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.execxdx.exe

pid	process
1652	6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe
1652	6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe
1492	cxdx.exe
1492	cxdx.exe

C:\Users\Admin\AppData\Local\Temp\6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe
"C:\Users\Admin\AppData\Local\Temp\6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\ProgramData\qdgg\fxadrdg.exe
C:\ProgramData\qdgg\fxadrdg.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736

C:\Windows\TEMP\cxdx.exe
C:\Windows\TEMP\cxdx.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1492

C:\ProgramData\dbboe\opvwh.exe
C:\ProgramData\dbboe\opvwh.exe start
1⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dbboe\opvwh.exe
MD5
f1aaf391cd3187ac41ade80b7520843e

SHA1
d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b

SHA256
6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

SHA512
0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Download Submit
C:\ProgramData\dbboe\opvwh.exe
MD5
f1aaf391cd3187ac41ade80b7520843e

SHA1
d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b

SHA256
6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

SHA512
0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Download Submit
C:\ProgramData\qdgg\fxadrdg.exe
MD5
f1aaf391cd3187ac41ade80b7520843e

SHA1
d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b

SHA256
6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

SHA512
0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Download Submit
C:\ProgramData\qdgg\fxadrdg.exe
MD5
f1aaf391cd3187ac41ade80b7520843e

SHA1
d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b

SHA256
6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

SHA512
0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Download Submit
C:\Windows\TEMP\cxdx.exe
MD5
f1aaf391cd3187ac41ade80b7520843e

SHA1
d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b

SHA256
6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

SHA512
0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Download Submit
C:\Windows\Tasks\fxadrdg.job
MD5
e7a1132c6b16f8f198a1cf71882975e3

SHA1
2e660a632add2e4925fcad28de5c1705f95b5664

SHA256
058ac2f318fbe9737f13d04c58f3251b3acdff0c4b9cfae704c36d69f9336c46

SHA512
852a994d5bc3afa93fcf22d805ea3d90fc01db4807637129054cfaae56ceb9f82a4974dc41c29059bfc8a12780a4c7842d824c71a8fee0ee8194ed9df7181b0d

Download Submit
C:\Windows\Temp\cxdx.exe
MD5
f1aaf391cd3187ac41ade80b7520843e

SHA1
d0b9b290fed1a09aafc04c4b1b657d8ebd03ed7b

SHA256
6c65adeedf632ba99f4fc5631a883a2d199faf4e505c0a1e06c169ca6bd33365

SHA512
0faee51c84467a90137be7a6503662cfb50b403711fe6a7cf69d47d856f9cf5f3b4d9efb7084b3242490c986744edfc3a0382df87dbf07312e20a6b7736c27bf

Download Submit
memory/1264-136-0x0000000000662000-0x000000000066B000-memory.dmp

Filesize
36KB

Download
memory/1492-132-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/1492-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1652-119-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/1652-121-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1652-120-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/2736-127-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2736-125-0x0000000000662000-0x000000000066B000-memory.dmp

Filesize
36KB

Download
memory/2736-126-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/2736-124-0x0000000000662000-0x000000000066B000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing