systembc | dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

General

Target

dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe
Size

232KB
MD5

14b1292f0bb166062b889b5ea588d593
SHA1

66522b2905ca9d04a9f3531bb1b73a7e0763de59
SHA256

dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8
SHA512

0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

ddcj.exeoujxn.exeuttinr.exe

pid process

2344 ddcj.exe
4840 oujxn.exe
4280 uttinr.exe

pid	process
2344	ddcj.exe
4840	oujxn.exe
4280	uttinr.exe

Drops file in Windows directory 5 IoCs

Processes:

dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exeddcj.exeoujxn.exe

description	ioc	process
File created	C:\Windows\Tasks\ddcj.job	dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe
File opened for modification	C:\Windows\Tasks\ddcj.job	dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe
File created	C:\Windows\Tasks\uhphtiujvkwlxmanboc.job	ddcj.exe
File created	C:\Windows\Tasks\uttinr.job	oujxn.exe
File opened for modification	C:\Windows\Tasks\uttinr.job	oujxn.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

260 3428 WerFault.exe dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe

pid	pid_target	process	target process
260	3428	WerFault.exe	dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exeoujxn.exe

pid	process
3428	dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe
3428	dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe
4840	oujxn.exe
4840	oujxn.exe

C:\Users\Admin\AppData\Local\Temp\dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe
"C:\Users\Admin\AppData\Local\Temp\dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 492
2⤵
- Program crash
PID:260

C:\ProgramData\kghjbia\ddcj.exe
C:\ProgramData\kghjbia\ddcj.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3428 -ip 3428
1⤵
PID:4944

C:\Windows\TEMP\oujxn.exe
C:\Windows\TEMP\oujxn.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4840

C:\ProgramData\kjopuwc\uttinr.exe
C:\ProgramData\kjopuwc\uttinr.exe start
1⤵
- Executes dropped EXE
PID:4280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kghjbia\ddcj.exe
MD5
14b1292f0bb166062b889b5ea588d593

SHA1
66522b2905ca9d04a9f3531bb1b73a7e0763de59

SHA256
dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

SHA512
0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Download Submit
C:\ProgramData\kghjbia\ddcj.exe
MD5
14b1292f0bb166062b889b5ea588d593

SHA1
66522b2905ca9d04a9f3531bb1b73a7e0763de59

SHA256
dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

SHA512
0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Download Submit
C:\ProgramData\kjopuwc\uttinr.exe
MD5
14b1292f0bb166062b889b5ea588d593

SHA1
66522b2905ca9d04a9f3531bb1b73a7e0763de59

SHA256
dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

SHA512
0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Download Submit
C:\ProgramData\kjopuwc\uttinr.exe
MD5
14b1292f0bb166062b889b5ea588d593

SHA1
66522b2905ca9d04a9f3531bb1b73a7e0763de59

SHA256
dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

SHA512
0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Download Submit
C:\Windows\TEMP\oujxn.exe
MD5
14b1292f0bb166062b889b5ea588d593

SHA1
66522b2905ca9d04a9f3531bb1b73a7e0763de59

SHA256
dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

SHA512
0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Download Submit
C:\Windows\Tasks\ddcj.job
MD5
791eec16b44f1fddcbacd29d5b9d88c5

SHA1
2554ae734afb0d4f2523f1921ccd66a692e36d35

SHA256
aa94f2e0b6be8c5b43cc65ee3c646f55d6e61a630b4fcd5fe6c773577d32d46c

SHA512
82ddf64d4440d433a8ea92b6c484558e77120b85aae11f29f5e5dfeb23a6415d845225cf9277a8dfff5897ceec3bd7e54bd9528a9a74936cf54a79ab92835a68

Download Submit
C:\Windows\Temp\oujxn.exe
MD5
14b1292f0bb166062b889b5ea588d593

SHA1
66522b2905ca9d04a9f3531bb1b73a7e0763de59

SHA256
dbf1a40d9c78fde45c5c1f1648af8b3592e3ef4fea2f5c086b196d3784fdc3c8

SHA512
0677383a45970bd7189e8158ffda4d1fd3076b61e5566efb46ba108bf1b5317d449f93d149ad09b28e4ee08ec90678fbcfc2dbcb8bc09a2ef4bbd866e31d595b

Download Submit
memory/2344-136-0x000000000077D000-0x0000000000786000-memory.dmp

Filesize
36KB

Download
memory/2344-137-0x000000000077D000-0x0000000000786000-memory.dmp

Filesize
36KB

Download
memory/2344-138-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3428-130-0x0000000000621000-0x000000000062A000-memory.dmp

Filesize
36KB

Download
memory/3428-131-0x0000000000621000-0x000000000062A000-memory.dmp

Filesize
36KB

Download
memory/3428-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3428-132-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/4280-147-0x00000000006AD000-0x00000000006B6000-memory.dmp

Filesize
36KB

Download
memory/4280-148-0x00000000006AD000-0x00000000006B6000-memory.dmp

Filesize
36KB

Download
memory/4280-149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4840-141-0x000000000064D000-0x0000000000656000-memory.dmp

Filesize
36KB

Download
memory/4840-143-0x000000000064D000-0x0000000000656000-memory.dmp

Filesize
36KB

Download
memory/4840-144-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing