systembc | bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

General

Target

572eb88ef3e508c0556d55b4e7f649bd.exe
Size

237KB
MD5

572eb88ef3e508c0556d55b4e7f649bd
SHA1

a2251c07ea52e9886be15835d45eac41c24af78d
SHA256

bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810
SHA512

8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

acckhkm.exepfcowc.exeibrv.exe

pid process

1544 acckhkm.exe
480 pfcowc.exe
608 ibrv.exe

pid	process
1544	acckhkm.exe
480	pfcowc.exe
608	ibrv.exe

Drops file in Windows directory 5 IoCs

Processes:

572eb88ef3e508c0556d55b4e7f649bd.exeacckhkm.exepfcowc.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\acckhkm.job	572eb88ef3e508c0556d55b4e7f649bd.exe
File created	C:\Windows\Tasks\fejrnrdtktvgoktktox.job	acckhkm.exe
File created	C:\Windows\Tasks\ibrv.job	pfcowc.exe
File opened for modification	C:\Windows\Tasks\ibrv.job	pfcowc.exe
File created	C:\Windows\Tasks\acckhkm.job	572eb88ef3e508c0556d55b4e7f649bd.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

572eb88ef3e508c0556d55b4e7f649bd.exepfcowc.exe

pid process

1500 572eb88ef3e508c0556d55b4e7f649bd.exe
480 pfcowc.exe

pid	process
1500	572eb88ef3e508c0556d55b4e7f649bd.exe
480	pfcowc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1596 wrote to memory of 1544	1596	taskeng.exe	acckhkm.exe
PID 1596 wrote to memory of 1544	1596	taskeng.exe	acckhkm.exe
PID 1596 wrote to memory of 1544	1596	taskeng.exe	acckhkm.exe
PID 1596 wrote to memory of 1544	1596	taskeng.exe	acckhkm.exe
PID 1596 wrote to memory of 480	1596	taskeng.exe	pfcowc.exe
PID 1596 wrote to memory of 480	1596	taskeng.exe	pfcowc.exe
PID 1596 wrote to memory of 480	1596	taskeng.exe	pfcowc.exe
PID 1596 wrote to memory of 480	1596	taskeng.exe	pfcowc.exe
PID 1596 wrote to memory of 608	1596	taskeng.exe	ibrv.exe
PID 1596 wrote to memory of 608	1596	taskeng.exe	ibrv.exe
PID 1596 wrote to memory of 608	1596	taskeng.exe	ibrv.exe
PID 1596 wrote to memory of 608	1596	taskeng.exe	ibrv.exe

C:\Users\Admin\AppData\Local\Temp\572eb88ef3e508c0556d55b4e7f649bd.exe
"C:\Users\Admin\AppData\Local\Temp\572eb88ef3e508c0556d55b4e7f649bd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1500

C:\Windows\system32\taskeng.exe
taskeng.exe {9FE93EAD-3560-4ECE-8E8A-AC3E0C528700} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\ProgramData\aasi\acckhkm.exe
C:\ProgramData\aasi\acckhkm.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544

C:\Windows\TEMP\pfcowc.exe
C:\Windows\TEMP\pfcowc.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:480

C:\ProgramData\matqf\ibrv.exe
C:\ProgramData\matqf\ibrv.exe start
2⤵
- Executes dropped EXE
PID:608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aasi\acckhkm.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\ProgramData\aasi\acckhkm.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\ProgramData\matqf\ibrv.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\ProgramData\matqf\ibrv.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\Windows\TEMP\pfcowc.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
C:\Windows\Tasks\acckhkm.job
MD5
a75ad800416631e6488d8e171062f32d

SHA1
8cda3e454224546325b0835788b07d7e5c116235

SHA256
de96ea9667c45d79a64d5700a3885f2e2458020083f03360fdba4d931ad498e5

SHA512
818f7aef90b2857a0959746a8675203e414d215389c7ff18e76f68f05006bcec9ee7b52086669dffb360fb13b2bb50c2c376f3ad1688a4083d082fda84f17f34

Download Submit
C:\Windows\Temp\pfcowc.exe
MD5
572eb88ef3e508c0556d55b4e7f649bd

SHA1
a2251c07ea52e9886be15835d45eac41c24af78d

SHA256
bad62abd7ad29c3d1379bd06439b3208549ceff63772420104c1b322a4abc810

SHA512
8f9ed7ae2b94a3a6cb7e70a7192509d5dc8a8d728bedcdd01c2129608edbc0fc5c6b487733de72d54ba7dda438df7887381669466759d3e5bd8a8835b32335e9

Download Submit
memory/480-71-0x000000000055E000-0x0000000000567000-memory.dmp

Filesize
36KB

Download
memory/480-68-0x000000000055E000-0x0000000000567000-memory.dmp

Filesize
36KB

Download
memory/480-72-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/608-78-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/608-77-0x000000000065E000-0x0000000000667000-memory.dmp

Filesize
36KB

Download
memory/608-75-0x000000000065E000-0x0000000000667000-memory.dmp

Filesize
36KB

Download
memory/1500-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1500-57-0x0000000075AA1000-0x0000000075AA3000-memory.dmp

Filesize
8KB

Download
memory/1500-54-0x000000000065E000-0x0000000000667000-memory.dmp

Filesize
36KB

Download
memory/1500-58-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1500-55-0x000000000065E000-0x0000000000667000-memory.dmp

Filesize
36KB

Download
memory/1544-64-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1544-61-0x000000000058E000-0x0000000000597000-memory.dmp

Filesize
36KB

Download
memory/1544-65-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1544-63-0x000000000058E000-0x0000000000597000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing