systembc | cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

General

Target

f7205e928a07057d45dd80680d956abc.exe
Size

232KB
MD5

f7205e928a07057d45dd80680d956abc
SHA1

429cebb14558371bbb1535743ff4b8c4c2401742
SHA256

cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173
SHA512

c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

xbxg.exeqpxircl.exercexsf.exe

pid process

2760 xbxg.exe
480 qpxircl.exe
4964 rcexsf.exe

pid	process
2760	xbxg.exe
480	qpxircl.exe
4964	rcexsf.exe

Drops file in Windows directory 5 IoCs

Processes:

f7205e928a07057d45dd80680d956abc.exexbxg.exeqpxircl.exe

description	ioc	process
File created	C:\Windows\Tasks\xbxg.job	f7205e928a07057d45dd80680d956abc.exe
File opened for modification	C:\Windows\Tasks\xbxg.job	f7205e928a07057d45dd80680d956abc.exe
File created	C:\Windows\Tasks\lxwmtdksjscjraiowgo.job	xbxg.exe
File created	C:\Windows\Tasks\rcexsf.job	qpxircl.exe
File opened for modification	C:\Windows\Tasks\rcexsf.job	qpxircl.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2332 1032 WerFault.exe f7205e928a07057d45dd80680d956abc.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

f7205e928a07057d45dd80680d956abc.exeqpxircl.exe

pid process

1032 f7205e928a07057d45dd80680d956abc.exe
1032 f7205e928a07057d45dd80680d956abc.exe
480 qpxircl.exe
480 qpxircl.exe

pid	pid_target	process	target process
2332	1032	WerFault.exe	f7205e928a07057d45dd80680d956abc.exe

pid	process
1032	f7205e928a07057d45dd80680d956abc.exe
1032	f7205e928a07057d45dd80680d956abc.exe
480	qpxircl.exe
480	qpxircl.exe

C:\Users\Admin\AppData\Local\Temp\f7205e928a07057d45dd80680d956abc.exe
"C:\Users\Admin\AppData\Local\Temp\f7205e928a07057d45dd80680d956abc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1032 -s 472
2⤵
- Program crash
PID:2332

C:\ProgramData\ummr\xbxg.exe
C:\ProgramData\ummr\xbxg.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1032 -ip 1032
1⤵
PID:2616

C:\Windows\TEMP\qpxircl.exe
C:\Windows\TEMP\qpxircl.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:480

C:\ProgramData\pgwggg\rcexsf.exe
C:\ProgramData\pgwggg\rcexsf.exe start
1⤵
- Executes dropped EXE
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pgwggg\rcexsf.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\ProgramData\pgwggg\rcexsf.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\ProgramData\ummr\xbxg.exe
MD5
f7205e928a07057d45dd80680d956abc

SHA1
429cebb14558371bbb1535743ff4b8c4c2401742

SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Download Submit
C:\ProgramData\ummr\xbxg.exe
MD5
f7205e928a07057d45dd80680d956abc

SHA1
429cebb14558371bbb1535743ff4b8c4c2401742

SHA256
cb9fa8efff1e18846cac5f9f5700534dbb43d94beb5b4701e948d35669dde173

SHA512
c3f544283e03adf758147d97ccad514582545ec76915a22a70a824ab8eab4c675f602e6f451c911f69c45715fac2de307b3236f6ebe0741dec305e8ebbe5fe4c

Download Submit
C:\Windows\TEMP\qpxircl.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\Windows\Tasks\xbxg.job
MD5
c0a3c8e6105e2cccbbed177ef34f12c4

SHA1
d15a41d4b0fa102a4613fbcae29a0d5b7635cda4

SHA256
4b49e0d38924f36f7ae1e7ab2c7fc5836ba6eb1a4f5fa841b2c4b8081e340ab4

SHA512
cd64d2da76e47684dd0815a307a457b9d9dea20df3063b0759c6541927fca36f2fc041760c841bd622e550100e6f0b4d5bba04d616d87147b60848cf3c937790

Download Submit
C:\Windows\Temp\qpxircl.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
memory/480-142-0x0000000000779000-0x0000000000782000-memory.dmp

Filesize
36KB

Download
memory/480-145-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/480-144-0x0000000000779000-0x0000000000782000-memory.dmp

Filesize
36KB

Download
memory/1032-133-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1032-130-0x0000000000498000-0x00000000004A1000-memory.dmp

Filesize
36KB

Download
memory/1032-132-0x0000000000470000-0x0000000000479000-memory.dmp

Filesize
36KB

Download
memory/1032-131-0x0000000000498000-0x00000000004A1000-memory.dmp

Filesize
36KB

Download
memory/2760-136-0x0000000000505000-0x000000000050E000-memory.dmp

Filesize
36KB

Download
memory/2760-137-0x0000000000505000-0x000000000050E000-memory.dmp

Filesize
36KB

Download
memory/2760-139-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2760-138-0x0000000000D20000-0x0000000000D29000-memory.dmp

Filesize
36KB

Download
memory/4964-148-0x00000000005CA000-0x00000000005D3000-memory.dmp

Filesize
36KB

Download
memory/4964-149-0x00000000005CA000-0x00000000005D3000-memory.dmp

Filesize
36KB

Download
memory/4964-150-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads