systembc | f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

General

Target

f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe
Size

236KB
MD5

4417e4db8f9d2e891432de2af78b29ac
SHA1

dc9f0732d9681a1fbe545d4df05536b5eaba2461
SHA256

f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f
SHA512

1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

gpfjx.exevstq.exeheseque.exe

pid process

1608 gpfjx.exe
3060 vstq.exe
2068 heseque.exe

pid	process
1608	gpfjx.exe
3060	vstq.exe
2068	heseque.exe

Drops file in Windows directory 5 IoCs

Processes:

vstq.exef17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exegpfjx.exe

description	ioc	process
File created	C:\Windows\Tasks\heseque.job	vstq.exe
File opened for modification	C:\Windows\Tasks\heseque.job	vstq.exe
File created	C:\Windows\Tasks\gpfjx.job	f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe
File opened for modification	C:\Windows\Tasks\gpfjx.job	f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe
File created	C:\Windows\Tasks\nocahgnltradkjqpwue.job	gpfjx.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2152 3496 WerFault.exe f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe

pid	pid_target	process	target process
2152	3496	WerFault.exe	f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exevstq.exe

pid	process
3496	f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe
3496	f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe
3060	vstq.exe
3060	vstq.exe

C:\Users\Admin\AppData\Local\Temp\f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe
"C:\Users\Admin\AppData\Local\Temp\f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 948
2⤵
- Program crash
PID:2152

C:\ProgramData\jidu\gpfjx.exe
C:\ProgramData\jidu\gpfjx.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3496 -ip 3496
1⤵
PID:2188

C:\Windows\TEMP\vstq.exe
C:\Windows\TEMP\vstq.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\ProgramData\pkuit\heseque.exe
C:\ProgramData\pkuit\heseque.exe start
1⤵
- Executes dropped EXE
PID:2068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jidu\gpfjx.exe
MD5
4417e4db8f9d2e891432de2af78b29ac

SHA1
dc9f0732d9681a1fbe545d4df05536b5eaba2461

SHA256
f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

SHA512
1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Download Submit
C:\ProgramData\jidu\gpfjx.exe
MD5
4417e4db8f9d2e891432de2af78b29ac

SHA1
dc9f0732d9681a1fbe545d4df05536b5eaba2461

SHA256
f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

SHA512
1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Download Submit
C:\ProgramData\pkuit\heseque.exe
MD5
4417e4db8f9d2e891432de2af78b29ac

SHA1
dc9f0732d9681a1fbe545d4df05536b5eaba2461

SHA256
f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

SHA512
1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Download Submit
C:\ProgramData\pkuit\heseque.exe
MD5
4417e4db8f9d2e891432de2af78b29ac

SHA1
dc9f0732d9681a1fbe545d4df05536b5eaba2461

SHA256
f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

SHA512
1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Download Submit
C:\Windows\TEMP\vstq.exe
MD5
4417e4db8f9d2e891432de2af78b29ac

SHA1
dc9f0732d9681a1fbe545d4df05536b5eaba2461

SHA256
f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

SHA512
1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Download Submit
C:\Windows\Tasks\gpfjx.job
MD5
772098a8009183d7681a63dffe4cc96d

SHA1
b1d151e9c786d945002ffc8ba13230aa8060b1c9

SHA256
4d9bb4c8cf3bd46020f970519ec7163eb2b790d077a114bb0aafb483e24a25f3

SHA512
3f527ae1b89451a7d48ad76d43ed7e2dead90e8f1eb19edc7a5a49860bf7e6fb463860e5b6b00385dea0706ab7e3e8c0a01ed46bb2a79f88db1cf6242fa93c87

Download Submit
C:\Windows\Temp\vstq.exe
MD5
4417e4db8f9d2e891432de2af78b29ac

SHA1
dc9f0732d9681a1fbe545d4df05536b5eaba2461

SHA256
f17ac724c8f09ed76482fde99dc3971818735f9db0481f5914ec7684ca495c5f

SHA512
1da861d7f14948158614798a4d1a2372e668ab53d950f01c6e518bbdd3b4a278e16ac2d54b8eab54266d5135f8e82f4de5e261a674c90de444e7089782d5d8a1

Download Submit
memory/1608-136-0x000000000053D000-0x0000000000546000-memory.dmp

Filesize
36KB

Download
memory/1608-137-0x000000000053D000-0x0000000000546000-memory.dmp

Filesize
36KB

Download
memory/1608-138-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2068-149-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2068-148-0x00000000004ED000-0x00000000004F6000-memory.dmp

Filesize
36KB

Download
memory/2068-147-0x00000000004ED000-0x00000000004F6000-memory.dmp

Filesize
36KB

Download
memory/3060-141-0x00000000007FD000-0x0000000000806000-memory.dmp

Filesize
36KB

Download
memory/3060-144-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3060-143-0x00000000007FD000-0x0000000000806000-memory.dmp

Filesize
36KB

Download
memory/3496-130-0x0000000000791000-0x000000000079A000-memory.dmp

Filesize
36KB

Download
memory/3496-133-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3496-132-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/3496-131-0x0000000000791000-0x000000000079A000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing