systembc | 4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

General

Target

4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe
Size

233KB
MD5

1102e3b505288dee166253efa664b9eb
SHA1

f7cccb8a49bee701a8d652df0cd44c9aca6fffff
SHA256

4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44
SHA512

2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ijakb.exerccngs.exebrusr.exe

pid process

1504 ijakb.exe
432 rccngs.exe
2684 brusr.exe

pid	process
1504	ijakb.exe
432	rccngs.exe
2684	brusr.exe

Drops file in Windows directory 5 IoCs

Processes:

4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exeijakb.exerccngs.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\ijakb.job	4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe
File created	C:\Windows\Tasks\mvmqabarvajhltxigps.job	ijakb.exe
File created	C:\Windows\Tasks\brusr.job	rccngs.exe
File opened for modification	C:\Windows\Tasks\brusr.job	rccngs.exe
File created	C:\Windows\Tasks\ijakb.job	4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3428 1712 WerFault.exe 4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe

pid	pid_target	process	target process
3428	1712	WerFault.exe	4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exerccngs.exe

pid	process
1712	4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe
1712	4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe
432	rccngs.exe
432	rccngs.exe

C:\Users\Admin\AppData\Local\Temp\4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe
"C:\Users\Admin\AppData\Local\Temp\4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 940
2⤵
- Program crash
PID:3428

C:\ProgramData\awiu\ijakb.exe
C:\ProgramData\awiu\ijakb.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1712 -ip 1712
1⤵
PID:4528

C:\Windows\TEMP\rccngs.exe
C:\Windows\TEMP\rccngs.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:432

C:\ProgramData\djufw\brusr.exe
C:\ProgramData\djufw\brusr.exe start
1⤵
- Executes dropped EXE
PID:2684

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\awiu\ijakb.exe
MD5
1102e3b505288dee166253efa664b9eb

SHA1
f7cccb8a49bee701a8d652df0cd44c9aca6fffff

SHA256
4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

SHA512
2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Download Submit
C:\ProgramData\awiu\ijakb.exe
MD5
1102e3b505288dee166253efa664b9eb

SHA1
f7cccb8a49bee701a8d652df0cd44c9aca6fffff

SHA256
4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

SHA512
2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Download Submit
C:\ProgramData\djufw\brusr.exe
MD5
1102e3b505288dee166253efa664b9eb

SHA1
f7cccb8a49bee701a8d652df0cd44c9aca6fffff

SHA256
4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

SHA512
2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Download Submit
C:\ProgramData\djufw\brusr.exe
MD5
1102e3b505288dee166253efa664b9eb

SHA1
f7cccb8a49bee701a8d652df0cd44c9aca6fffff

SHA256
4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

SHA512
2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Download Submit
C:\Windows\TEMP\rccngs.exe
MD5
1102e3b505288dee166253efa664b9eb

SHA1
f7cccb8a49bee701a8d652df0cd44c9aca6fffff

SHA256
4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

SHA512
2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Download Submit
C:\Windows\Tasks\ijakb.job
MD5
654b410f0319ecd9f2edcf635eadc732

SHA1
6d0abdf5de29fd546ee2c8c1bf169eb32aa0090d

SHA256
2040ecd712d1f0fc5c58f84ed411e6ebf8d335ad37633a9aaab524fc1f2877ad

SHA512
0dcf5c75a19e63d528e2b9959650db1bcc2d617ef31cb0fa30a8c1b2e69c4f086dd01053a3fd25e4fdb8cec24d58515af00186ba67b941dc9964273dd0bc9a41

Download Submit
C:\Windows\Temp\rccngs.exe
MD5
1102e3b505288dee166253efa664b9eb

SHA1
f7cccb8a49bee701a8d652df0cd44c9aca6fffff

SHA256
4269ec2d9eaf4f95c02f857ef6ba933f42d9fcf1802557ffffa3928d8ce44e44

SHA512
2e0a76f4d08a60a709011c22bc54a9bbfb519104276d808400c3aa3f0122fb3aaa1ba4befce40e47ba0d795877e3e42bbe2c63b5a96e4c7ca637dd30fdab41f9

Download Submit
memory/432-148-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/432-147-0x000000000073D000-0x0000000000746000-memory.dmp

Filesize
36KB

Download
memory/432-145-0x000000000073D000-0x0000000000746000-memory.dmp

Filesize
36KB

Download
memory/1504-141-0x000000000071D000-0x0000000000726000-memory.dmp

Filesize
36KB

Download
memory/1504-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1504-140-0x000000000071D000-0x0000000000726000-memory.dmp

Filesize
36KB

Download
memory/1712-137-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1712-135-0x0000000000601000-0x000000000060A000-memory.dmp

Filesize
36KB

Download
memory/1712-134-0x0000000000601000-0x000000000060A000-memory.dmp

Filesize
36KB

Download
memory/1712-136-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/2684-151-0x000000000057D000-0x0000000000586000-memory.dmp

Filesize
36KB

Download
memory/2684-152-0x000000000057D000-0x0000000000586000-memory.dmp

Filesize
36KB

Download
memory/2684-153-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing