systembc | 70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

General

Target

70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe
Size

232KB
MD5

f8e7ddc24c5807eefb4c3a1d984c9649
SHA1

549870c8f3cc21b13bb78969ce6e8a1717c3255a
SHA256

70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea
SHA512

bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jwmcksr.exeogvkxr.exeuhut.exe

pid process

1536 jwmcksr.exe
4908 ogvkxr.exe
840 uhut.exe

pid	process
1536	jwmcksr.exe
4908	ogvkxr.exe
840	uhut.exe

Drops file in Windows directory 5 IoCs

Processes:

70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exejwmcksr.exeogvkxr.exe

description	ioc	process
File created	C:\Windows\Tasks\jwmcksr.job	70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe
File opened for modification	C:\Windows\Tasks\jwmcksr.job	70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe
File created	C:\Windows\Tasks\otbwurqmligcbvuqpnj.job	jwmcksr.exe
File created	C:\Windows\Tasks\uhut.job	ogvkxr.exe
File opened for modification	C:\Windows\Tasks\uhut.job	ogvkxr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1724 3264 WerFault.exe 70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe

pid	pid_target	process	target process
1724	3264	WerFault.exe	70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exeogvkxr.exe

pid	process
3264	70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe
3264	70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe
4908	ogvkxr.exe
4908	ogvkxr.exe

C:\Users\Admin\AppData\Local\Temp\70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe
"C:\Users\Admin\AppData\Local\Temp\70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 960
2⤵
- Program crash
PID:1724

C:\ProgramData\ohitoql\jwmcksr.exe
C:\ProgramData\ohitoql\jwmcksr.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3264 -ip 3264
1⤵
PID:4404

C:\Windows\TEMP\ogvkxr.exe
C:\Windows\TEMP\ogvkxr.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4908

C:\ProgramData\iwui\uhut.exe
C:\ProgramData\iwui\uhut.exe start
1⤵
- Executes dropped EXE
PID:840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\iwui\uhut.exe
MD5
f8e7ddc24c5807eefb4c3a1d984c9649

SHA1
549870c8f3cc21b13bb78969ce6e8a1717c3255a

SHA256
70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

SHA512
bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Download Submit
C:\ProgramData\iwui\uhut.exe
MD5
f8e7ddc24c5807eefb4c3a1d984c9649

SHA1
549870c8f3cc21b13bb78969ce6e8a1717c3255a

SHA256
70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

SHA512
bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Download Submit
C:\ProgramData\ohitoql\jwmcksr.exe
MD5
f8e7ddc24c5807eefb4c3a1d984c9649

SHA1
549870c8f3cc21b13bb78969ce6e8a1717c3255a

SHA256
70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

SHA512
bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Download Submit
C:\ProgramData\ohitoql\jwmcksr.exe
MD5
f8e7ddc24c5807eefb4c3a1d984c9649

SHA1
549870c8f3cc21b13bb78969ce6e8a1717c3255a

SHA256
70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

SHA512
bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Download Submit
C:\Windows\TEMP\ogvkxr.exe
MD5
f8e7ddc24c5807eefb4c3a1d984c9649

SHA1
549870c8f3cc21b13bb78969ce6e8a1717c3255a

SHA256
70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

SHA512
bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Download Submit
C:\Windows\Tasks\jwmcksr.job
MD5
0976e3dcf1696f2eb2f6d71db17ab629

SHA1
329076b33c7dd5e6fd3b822e82ca93812b78373a

SHA256
7f3ad8ff4ce91bb16fa8066486afa2a552c6a3c2f69b29e7eb86284383a30e9a

SHA512
91d54f72aa8f8f7db688bba35e6a34bc8dd5b3cf0a18ae5712f4f82ff861cb9dedfb8246129f8f0f5fe62d883b3bc414066d729b3a4bc7c461b849d77af8b922

Download Submit
C:\Windows\Temp\ogvkxr.exe
MD5
f8e7ddc24c5807eefb4c3a1d984c9649

SHA1
549870c8f3cc21b13bb78969ce6e8a1717c3255a

SHA256
70f95be0a7035dd24ec29d91f3bf9db0d184760725f4742d2560e59d048221ea

SHA512
bc5207ad0a9c5602eb401e38d92fbcf51f8fe90dd73ac27e33c1d71ae99b4ef34eb95a29093b5ce2b88377c367d0c189ed1e8a8c0176d7496d61ee940d9b392d

Download Submit
memory/840-149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/840-148-0x00000000005CD000-0x00000000005D6000-memory.dmp

Filesize
36KB

Download
memory/840-147-0x00000000005CD000-0x00000000005D6000-memory.dmp

Filesize
36KB

Download
memory/1536-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1536-137-0x000000000069D000-0x00000000006A6000-memory.dmp

Filesize
36KB

Download
memory/1536-136-0x000000000069D000-0x00000000006A6000-memory.dmp

Filesize
36KB

Download
memory/3264-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3264-132-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/3264-131-0x0000000000641000-0x000000000064A000-memory.dmp

Filesize
36KB

Download
memory/3264-130-0x0000000000641000-0x000000000064A000-memory.dmp

Filesize
36KB

Download
memory/4908-141-0x000000000055D000-0x0000000000566000-memory.dmp

Filesize
36KB

Download
memory/4908-143-0x000000000055D000-0x0000000000566000-memory.dmp

Filesize
36KB

Download
memory/4908-144-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing