systembc | fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

General

Target

fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe
Size

232KB
MD5

03f49c1783459a9e989a715b0598101d
SHA1

6873edccffbfc63f731d90e60962b009970756a6
SHA256

fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb
SHA512

a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vfwevm.exevvik.execmqdfg.exe

pid process

2248 vfwevm.exe
4348 vvik.exe
1400 cmqdfg.exe

pid	process
2248	vfwevm.exe
4348	vvik.exe
1400	cmqdfg.exe

Drops file in Windows directory 5 IoCs

Processes:

fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exevfwevm.exevvik.exe

description	ioc	process
File created	C:\Windows\Tasks\vfwevm.job	fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe
File opened for modification	C:\Windows\Tasks\vfwevm.job	fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe
File created	C:\Windows\Tasks\dlnxcbbksvfdadajljg.job	vfwevm.exe
File created	C:\Windows\Tasks\cmqdfg.job	vvik.exe
File opened for modification	C:\Windows\Tasks\cmqdfg.job	vvik.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2444 2308 WerFault.exe fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe

pid	pid_target	process	target process
2444	2308	WerFault.exe	fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exevvik.exe

pid	process
2308	fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe
2308	fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe
4348	vvik.exe
4348	vvik.exe

C:\Users\Admin\AppData\Local\Temp\fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe
"C:\Users\Admin\AppData\Local\Temp\fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2308
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 952
  2⤵
  - Program crash
  PID:2444

C:\ProgramData\bdvsgrd\vfwevm.exe
C:\ProgramData\bdvsgrd\vfwevm.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2308 -ip 2308
1⤵
PID:312

C:\Windows\TEMP\vvik.exe
C:\Windows\TEMP\vvik.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4348

C:\ProgramData\bdodskc\cmqdfg.exe
C:\ProgramData\bdodskc\cmqdfg.exe start
1⤵
- Executes dropped EXE
PID:1400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bdodskc\cmqdfg.exe

MD5
03f49c1783459a9e989a715b0598101d

SHA1
6873edccffbfc63f731d90e60962b009970756a6

SHA256
fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

SHA512
a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Download Submit
C:\ProgramData\bdodskc\cmqdfg.exe

MD5
03f49c1783459a9e989a715b0598101d

SHA1
6873edccffbfc63f731d90e60962b009970756a6

SHA256
fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

SHA512
a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Download Submit
C:\ProgramData\bdvsgrd\vfwevm.exe

MD5
03f49c1783459a9e989a715b0598101d

SHA1
6873edccffbfc63f731d90e60962b009970756a6

SHA256
fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

SHA512
a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Download Submit
C:\ProgramData\bdvsgrd\vfwevm.exe

MD5
03f49c1783459a9e989a715b0598101d

SHA1
6873edccffbfc63f731d90e60962b009970756a6

SHA256
fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

SHA512
a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Download Submit
C:\Windows\TEMP\vvik.exe

MD5
03f49c1783459a9e989a715b0598101d

SHA1
6873edccffbfc63f731d90e60962b009970756a6

SHA256
fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

SHA512
a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Download Submit
C:\Windows\Tasks\vfwevm.job

MD5
8a07c2b7cde3d4eda59832942ef5be10

SHA1
626713b7343dd2ff0d0c6e45214bb58c131b5204

SHA256
bdeed83d471f5243e5a0c8ebed19a98739f4becbe8f49e8d8098a986673d2f7a

SHA512
c8ec07ecfb53571614ce9ca9db502b839d5dd46053c81eb54b551d978a4d07d5dc4eac1478cceba76dc6049e601e866a53e63990a166f2ff73bb717c8697e446

Download Submit
C:\Windows\Temp\vvik.exe

MD5
03f49c1783459a9e989a715b0598101d

SHA1
6873edccffbfc63f731d90e60962b009970756a6

SHA256
fc490f887f4c468f5c358176cda8f0bf7b51994812e33f6b8685aa031befa1bb

SHA512
a1dfe16a017d2a8a6c6bf6b347e70d457eac9030d788b3288bfb9423028026663e5ca772a171db7973537551cb41426d246acc4e4fae28c7004efdc0478c7b2e

Download Submit
memory/1400-152-0x00000000005CD000-0x00000000005D6000-memory.dmp

Filesize
36KB

Download
memory/1400-154-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1400-153-0x00000000005CD000-0x00000000005D6000-memory.dmp

Filesize
36KB

Download
memory/2248-142-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/2248-143-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2248-140-0x00000000006BD000-0x00000000006C6000-memory.dmp

Filesize
36KB

Download
memory/2248-141-0x00000000006BD000-0x00000000006C6000-memory.dmp

Filesize
36KB

Download
memory/2308-137-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2308-135-0x0000000000731000-0x000000000073A000-memory.dmp

Filesize
36KB

Download
memory/2308-136-0x0000000000700000-0x0000000000709000-memory.dmp

Filesize
36KB

Download
memory/2308-134-0x0000000000731000-0x000000000073A000-memory.dmp

Filesize
36KB

Download
memory/4348-149-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4348-148-0x00000000006FD000-0x0000000000706000-memory.dmp

Filesize
36KB

Download
memory/4348-146-0x00000000006FD000-0x0000000000706000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing