systembc | b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

General

Target

b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe
Size

236KB
MD5

f46c71fa634e56088ad439af3b59eb53
SHA1

2a0640e2c12724bbf25fb23946c833d01b7a3f8d
SHA256

b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123
SHA512

f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fogrucn.exednpio.exepabuql.exe

pid process

2064 fogrucn.exe
5000 dnpio.exe
2508 pabuql.exe

pid	process
2064	fogrucn.exe
5000	dnpio.exe
2508	pabuql.exe

Drops file in Windows directory 5 IoCs

Processes:

b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exefogrucn.exednpio.exe

description	ioc	process
File created	C:\Windows\Tasks\fogrucn.job	b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe
File opened for modification	C:\Windows\Tasks\fogrucn.job	b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe
File created	C:\Windows\Tasks\onvaqeaiogogwphphxq.job	fogrucn.exe
File created	C:\Windows\Tasks\pabuql.job	dnpio.exe
File opened for modification	C:\Windows\Tasks\pabuql.job	dnpio.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2468 3416 WerFault.exe b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe

pid	pid_target	process	target process
2468	3416	WerFault.exe	b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exednpio.exe

pid	process
3416	b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe
3416	b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe
5000	dnpio.exe
5000	dnpio.exe

C:\Users\Admin\AppData\Local\Temp\b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe
"C:\Users\Admin\AppData\Local\Temp\b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 940
2⤵
- Program crash
PID:2468

C:\ProgramData\aqbo\fogrucn.exe
C:\ProgramData\aqbo\fogrucn.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3416 -ip 3416
1⤵
PID:4840

C:\Windows\TEMP\dnpio.exe
C:\Windows\TEMP\dnpio.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5000

C:\ProgramData\cmafbu\pabuql.exe
C:\ProgramData\cmafbu\pabuql.exe start
1⤵
- Executes dropped EXE
PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aqbo\fogrucn.exe
MD5
f46c71fa634e56088ad439af3b59eb53

SHA1
2a0640e2c12724bbf25fb23946c833d01b7a3f8d

SHA256
b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

SHA512
f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Download Submit
C:\ProgramData\aqbo\fogrucn.exe
MD5
f46c71fa634e56088ad439af3b59eb53

SHA1
2a0640e2c12724bbf25fb23946c833d01b7a3f8d

SHA256
b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

SHA512
f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Download Submit
C:\ProgramData\cmafbu\pabuql.exe
MD5
f46c71fa634e56088ad439af3b59eb53

SHA1
2a0640e2c12724bbf25fb23946c833d01b7a3f8d

SHA256
b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

SHA512
f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Download Submit
C:\ProgramData\cmafbu\pabuql.exe
MD5
f46c71fa634e56088ad439af3b59eb53

SHA1
2a0640e2c12724bbf25fb23946c833d01b7a3f8d

SHA256
b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

SHA512
f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Download Submit
C:\Windows\TEMP\dnpio.exe
MD5
f46c71fa634e56088ad439af3b59eb53

SHA1
2a0640e2c12724bbf25fb23946c833d01b7a3f8d

SHA256
b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

SHA512
f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Download Submit
C:\Windows\Tasks\fogrucn.job
MD5
73401b55236fedbdb84377ed493e72a9

SHA1
4f26accab31205ca24ffc1248efc8759947fe4db

SHA256
c4a5f0d45e21e2b468252f8896b33756b3e7ebde87779acc33aaa3e6bf25b7dc

SHA512
f6d3eaac2b233f64d75b4387a9df0506e8ba11532f5333d77fd8bd425a46c439641cf76f8212e95214b27349f2eb2c1723722b77e6479baa4d71a5bc6a86f8e7

Download Submit
C:\Windows\Temp\dnpio.exe
MD5
f46c71fa634e56088ad439af3b59eb53

SHA1
2a0640e2c12724bbf25fb23946c833d01b7a3f8d

SHA256
b7850c2ac77872bc186b4252325dbb492e54aee1f22540652e3362924de5c123

SHA512
f0b2393fd524b269b16eecfb702a09b73f06890eb03f0d1d9c4ad51cd39f868b87625da11603105534910472060d9139601b81a2355e8752fcb830188852ef35

Download Submit
memory/2064-142-0x0000000000E60000-0x0000000000E69000-memory.dmp

Filesize
36KB

Download
memory/2064-143-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2064-140-0x000000000050D000-0x0000000000516000-memory.dmp

Filesize
36KB

Download
memory/2064-141-0x000000000050D000-0x0000000000516000-memory.dmp

Filesize
36KB

Download
memory/2508-152-0x00000000006DD000-0x00000000006E6000-memory.dmp

Filesize
36KB

Download
memory/2508-154-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2508-153-0x00000000006DD000-0x00000000006E6000-memory.dmp

Filesize
36KB

Download
memory/3416-137-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3416-135-0x00000000005F1000-0x00000000005FA000-memory.dmp

Filesize
36KB

Download
memory/3416-136-0x00000000021A0000-0x00000000021A9000-memory.dmp

Filesize
36KB

Download
memory/3416-134-0x00000000005F1000-0x00000000005FA000-memory.dmp

Filesize
36KB

Download
memory/5000-149-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5000-148-0x000000000056D000-0x0000000000576000-memory.dmp

Filesize
36KB

Download
memory/5000-146-0x000000000056D000-0x0000000000576000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing