systembc | ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a

General

Target

ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe
Size

232KB
MD5

d4bf806a2cd1f84ccdcff2184c93dc90
SHA1

1c110e247459619b11e316ab8a119136be8cd337
SHA256

ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a
SHA512

0e73dee591753e84e08f290833b5bd39ba60be355e362477fb811e29c7e1c81da6566f00f17a3c6bea179284960360fda21075152a328a2925643214bd0ec124

Score

10^/10

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

hmwhr.exe

pid process

684 hmwhr.exe

pid	process
684	hmwhr.exe

Drops file in Windows directory 3 IoCs

Processes:

ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exehmwhr.exe

description	ioc	process
File created	C:\Windows\Tasks\hmwhr.job	ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe
File opened for modification	C:\Windows\Tasks\hmwhr.job	ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe
File created	C:\Windows\Tasks\luugtehhdndxtjtplbl.job	hmwhr.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1512 3468 WerFault.exe ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe

pid	pid_target	process	target process
1512	3468	WerFault.exe	ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe

pid	process
3468	ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe
3468	ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe

C:\Users\Admin\AppData\Local\Temp\ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe
"C:\Users\Admin\AppData\Local\Temp\ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3468
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3468 -s 484
  2⤵
  - Program crash
  PID:1512

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3468 -ip 3468
1⤵
PID:2208

C:\ProgramData\bwcw\hmwhr.exe

MD5
d4bf806a2cd1f84ccdcff2184c93dc90

SHA1
1c110e247459619b11e316ab8a119136be8cd337

SHA256
ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a

SHA512
0e73dee591753e84e08f290833b5bd39ba60be355e362477fb811e29c7e1c81da6566f00f17a3c6bea179284960360fda21075152a328a2925643214bd0ec124

Download Submit
C:\ProgramData\bwcw\hmwhr.exe

MD5
d4bf806a2cd1f84ccdcff2184c93dc90

SHA1
1c110e247459619b11e316ab8a119136be8cd337

SHA256
ae487bcbd066a3bca802abb7b65f69691a0ffa850aa24ef0441a18243bbda46a

SHA512
0e73dee591753e84e08f290833b5bd39ba60be355e362477fb811e29c7e1c81da6566f00f17a3c6bea179284960360fda21075152a328a2925643214bd0ec124

Download Submit
memory/684-140-0x00000000006AD000-0x00000000006B6000-memory.dmp

Filesize
36KB

Download
memory/684-141-0x00000000006AD000-0x00000000006B6000-memory.dmp

Filesize
36KB

Download
memory/684-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3468-134-0x00000000007F1000-0x00000000007FA000-memory.dmp

Filesize
36KB

Download
memory/3468-135-0x00000000007F1000-0x00000000007FA000-memory.dmp

Filesize
36KB

Download
memory/3468-136-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/3468-137-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download