systembc | cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

General

Target

f7205e928a07057d45dd80680d956abc.exe
Size

232KB
MD5

f7205e928a07057d45dd80680d956abc
SHA1

429cebb14558371bbb1535743ff4b8c4c2401742
SHA256

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
SHA512

c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

swcft.exeouobn.exe

pid process

868 swcft.exe
1636 ouobn.exe

pid	process
868	swcft.exe
1636	ouobn.exe

Drops file in Windows directory 3 IoCs

Processes:

swcft.exef7205e928a07057d45dd80680d956abc.exe

description	ioc	process
File created	C:\Windows\Tasks\cmqiththuoalfsepjvi.job	swcft.exe
File created	C:\Windows\Tasks\swcft.job	f7205e928a07057d45dd80680d956abc.exe
File opened for modification	C:\Windows\Tasks\swcft.job	f7205e928a07057d45dd80680d956abc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f7205e928a07057d45dd80680d956abc.exe

pid process

1920 f7205e928a07057d45dd80680d956abc.exe

pid	process
1920	f7205e928a07057d45dd80680d956abc.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1828 wrote to memory of 868	1828	taskeng.exe	swcft.exe
PID 1828 wrote to memory of 868	1828	taskeng.exe	swcft.exe
PID 1828 wrote to memory of 868	1828	taskeng.exe	swcft.exe
PID 1828 wrote to memory of 868	1828	taskeng.exe	swcft.exe
PID 1828 wrote to memory of 1636	1828	taskeng.exe	ouobn.exe
PID 1828 wrote to memory of 1636	1828	taskeng.exe	ouobn.exe
PID 1828 wrote to memory of 1636	1828	taskeng.exe	ouobn.exe
PID 1828 wrote to memory of 1636	1828	taskeng.exe	ouobn.exe

C:\Users\Admin\AppData\Local\Temp\f7205e928a07057d45dd80680d956abc.exe
"C:\Users\Admin\AppData\Local\Temp\f7205e928a07057d45dd80680d956abc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1920

C:\Windows\system32\taskeng.exe
taskeng.exe {CDE9FC84-6205-4643-8EDD-F0D973974D9C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1828

C:\ProgramData\xsknqe\swcft.exe
C:\ProgramData\xsknqe\swcft.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:868

C:\Windows\TEMP\ouobn.exe
C:\Windows\TEMP\ouobn.exe
2⤵
- Executes dropped EXE
PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\xsknqe\swcft.exe
MD5
f7205e928a07057d45dd80680d956abc

SHA1
429cebb14558371bbb1535743ff4b8c4c2401742

SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Download Submit
C:\ProgramData\xsknqe\swcft.exe
MD5
f7205e928a07057d45dd80680d956abc

SHA1
429cebb14558371bbb1535743ff4b8c4c2401742

SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Download Submit
C:\Windows\TEMP\ouobn.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\Windows\Temp\ouobn.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
memory/868-65-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/868-61-0x00000000005DE000-0x00000000005E6000-memory.dmp

Filesize
32KB

Download
memory/868-63-0x00000000005DE000-0x00000000005E6000-memory.dmp

Filesize
32KB

Download
memory/868-64-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1636-68-0x000000000026E000-0x0000000000277000-memory.dmp

Filesize
36KB

Download
memory/1920-58-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1920-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1920-56-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1920-57-0x00000000003A0000-0x00000000003A9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing