systembc | 7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

General

Target

7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe
Size

233KB
MD5

5af54be6a7a2934eb5a109296436a24d
SHA1

fa9fbc98cedd06af2fdc5ad5020965308559ebe7
SHA256

7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e
SHA512

553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vuow.exencixfe.exehgru.exe

pid process

3572 vuow.exe
3936 ncixfe.exe
3848 hgru.exe

pid	process
3572	vuow.exe
3936	ncixfe.exe
3848	hgru.exe

Drops file in Windows directory 5 IoCs

Processes:

7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exevuow.exencixfe.exe

description	ioc	process
File created	C:\Windows\Tasks\vuow.job	7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe
File opened for modification	C:\Windows\Tasks\vuow.job	7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe
File created	C:\Windows\Tasks\hkqboxnvrvgpanwmvft.job	vuow.exe
File created	C:\Windows\Tasks\hgru.job	ncixfe.exe
File opened for modification	C:\Windows\Tasks\hgru.job	ncixfe.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exencixfe.exe

pid	process
3752	7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe
3752	7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe
3936	ncixfe.exe
3936	ncixfe.exe

C:\Users\Admin\AppData\Local\Temp\7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe
"C:\Users\Admin\AppData\Local\Temp\7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3752

C:\ProgramData\cbejhi\vuow.exe
C:\ProgramData\cbejhi\vuow.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3572

C:\Windows\TEMP\ncixfe.exe
C:\Windows\TEMP\ncixfe.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3936

C:\ProgramData\urbbaxw\hgru.exe
C:\ProgramData\urbbaxw\hgru.exe start
1⤵
- Executes dropped EXE
PID:3848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cbejhi\vuow.exe
MD5
5af54be6a7a2934eb5a109296436a24d

SHA1
fa9fbc98cedd06af2fdc5ad5020965308559ebe7

SHA256
7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

SHA512
553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Download Submit
C:\ProgramData\cbejhi\vuow.exe
MD5
5af54be6a7a2934eb5a109296436a24d

SHA1
fa9fbc98cedd06af2fdc5ad5020965308559ebe7

SHA256
7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

SHA512
553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Download Submit
C:\ProgramData\urbbaxw\hgru.exe
MD5
5af54be6a7a2934eb5a109296436a24d

SHA1
fa9fbc98cedd06af2fdc5ad5020965308559ebe7

SHA256
7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

SHA512
553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Download Submit
C:\ProgramData\urbbaxw\hgru.exe
MD5
5af54be6a7a2934eb5a109296436a24d

SHA1
fa9fbc98cedd06af2fdc5ad5020965308559ebe7

SHA256
7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

SHA512
553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Download Submit
C:\Windows\TEMP\ncixfe.exe
MD5
5af54be6a7a2934eb5a109296436a24d

SHA1
fa9fbc98cedd06af2fdc5ad5020965308559ebe7

SHA256
7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

SHA512
553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Download Submit
C:\Windows\Tasks\vuow.job
MD5
5f7ffe5d3ecd27880e2e93b0bd67bcf4

SHA1
08c12ad3aa781c991a7086d1d6f566033a282f52

SHA256
c990fdb9aa3c5a9a20f4f991943c4481b1be0c92fea046869faf6bb6142392bd

SHA512
9d01ddadf43f1386f4f2a62c0a293bed2127e162659bd26d4ef2123c8ab5c63dadf8fae0632b64972cf409abe91677ec6c29d727581dc9ae137b41fdc6bfb00b

Download Submit
C:\Windows\Temp\ncixfe.exe
MD5
5af54be6a7a2934eb5a109296436a24d

SHA1
fa9fbc98cedd06af2fdc5ad5020965308559ebe7

SHA256
7fcee76d90a2f2280f81df3c9f84df0de6095b4e078e49a88b67fb6e19b6885e

SHA512
553184cc0b0c44c76f9fb2ee2fd2e04584cc3084965c75f9f3c386fdbd5dce59fbdcff1d39dc12890017f736fbe4beed9173517bd682a17c4224da4d8aadd027

Download Submit
memory/3572-120-0x00000000006E7000-0x00000000006F0000-memory.dmp

Filesize
36KB

Download
memory/3572-123-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3572-122-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/3572-121-0x00000000006E7000-0x00000000006F0000-memory.dmp

Filesize
36KB

Download
memory/3752-115-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3752-116-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3752-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3848-134-0x0000000000510000-0x000000000065A000-memory.dmp

Filesize
1.3MB

Download
memory/3848-135-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3936-126-0x0000000000767000-0x0000000000770000-memory.dmp

Filesize
36KB

Download
memory/3936-128-0x0000000000767000-0x0000000000770000-memory.dmp

Filesize
36KB

Download
memory/3936-129-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/3936-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing