systembc | 519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

General

Target

519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe
Size

232KB
MD5

29d27fcaacf725fa80f15793dc3c5214
SHA1

1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058
SHA256

519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266
SHA512

433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

hsmffqx.exexudm.exerdruehu.exe

pid process

2852 hsmffqx.exe
3468 xudm.exe
4056 rdruehu.exe

pid	process
2852	hsmffqx.exe
3468	xudm.exe
4056	rdruehu.exe

Drops file in Windows directory 5 IoCs

Processes:

519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exehsmffqx.exexudm.exe

description	ioc	process
File created	C:\Windows\Tasks\hsmffqx.job	519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe
File opened for modification	C:\Windows\Tasks\hsmffqx.job	519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe
File created	C:\Windows\Tasks\phhudkrahnvemsciqwg.job	hsmffqx.exe
File created	C:\Windows\Tasks\rdruehu.job	xudm.exe
File opened for modification	C:\Windows\Tasks\rdruehu.job	xudm.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1896 1556 WerFault.exe 519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe

pid	pid_target	process	target process
1896	1556	WerFault.exe	519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exexudm.exe

pid	process
1556	519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe
1556	519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe
3468	xudm.exe
3468	xudm.exe

C:\Users\Admin\AppData\Local\Temp\519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe
"C:\Users\Admin\AppData\Local\Temp\519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 968
2⤵
- Program crash
PID:1896

C:\ProgramData\sqjr\hsmffqx.exe
C:\ProgramData\sqjr\hsmffqx.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1556 -ip 1556
1⤵
PID:2300

C:\Windows\TEMP\xudm.exe
C:\Windows\TEMP\xudm.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3468

C:\ProgramData\eujwd\rdruehu.exe
C:\ProgramData\eujwd\rdruehu.exe start
1⤵
- Executes dropped EXE
PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eujwd\rdruehu.exe
MD5
29d27fcaacf725fa80f15793dc3c5214

SHA1
1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058

SHA256
519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

SHA512
433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Download Submit
C:\ProgramData\eujwd\rdruehu.exe
MD5
29d27fcaacf725fa80f15793dc3c5214

SHA1
1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058

SHA256
519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

SHA512
433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Download Submit
C:\ProgramData\sqjr\hsmffqx.exe
MD5
29d27fcaacf725fa80f15793dc3c5214

SHA1
1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058

SHA256
519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

SHA512
433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Download Submit
C:\ProgramData\sqjr\hsmffqx.exe
MD5
29d27fcaacf725fa80f15793dc3c5214

SHA1
1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058

SHA256
519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

SHA512
433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Download Submit
C:\Windows\TEMP\xudm.exe
MD5
29d27fcaacf725fa80f15793dc3c5214

SHA1
1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058

SHA256
519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

SHA512
433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Download Submit
C:\Windows\Tasks\hsmffqx.job
MD5
721d63f1f8c6c7e1f5c4e8aebb85c2a7

SHA1
2d5da5c215aac3f0ebdf14a8f33517074249ffd0

SHA256
f320ad2a1f26c1a99d20fbcb963eb9d2827613ea5b80535bf28d0a2314c4364f

SHA512
a6141216589c9b6b2a1fb277083e091298db75409048c54c08a48762098cc7d83df37774eff91ff5c13da6b89f93b83acb83f109c9113028deeb75bb5e484cb9

Download Submit
C:\Windows\Temp\xudm.exe
MD5
29d27fcaacf725fa80f15793dc3c5214

SHA1
1ea0a2f54f7b2eb3f7091f5dc5ca91382715c058

SHA256
519e4c270cc4c94c04ed38fbf5753477c811c260723f032ddec5e04e91eef266

SHA512
433fcffbe41469cca583badc16878e9001af4b8ea2ed35525f6af024c9597d521dd658e8579525b42b4b240486074e5d7849758337489fed64fb3a0104c73421

Download Submit
memory/1556-131-0x0000000000511000-0x000000000051A000-memory.dmp

Filesize
36KB

Download
memory/1556-130-0x0000000000511000-0x000000000051A000-memory.dmp

Filesize
36KB

Download
memory/1556-132-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/1556-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2852-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2852-137-0x000000000082D000-0x0000000000836000-memory.dmp

Filesize
36KB

Download
memory/2852-136-0x000000000082D000-0x0000000000836000-memory.dmp

Filesize
36KB

Download
memory/3468-141-0x000000000056D000-0x0000000000576000-memory.dmp

Filesize
36KB

Download
memory/3468-143-0x000000000056D000-0x0000000000576000-memory.dmp

Filesize
36KB

Download
memory/3468-144-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4056-147-0x000000000077D000-0x0000000000786000-memory.dmp

Filesize
36KB

Download
memory/4056-148-0x000000000077D000-0x0000000000786000-memory.dmp

Filesize
36KB

Download
memory/4056-149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing