systembc | 00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

General

Target

00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe
Size

230KB
MD5

b3f12e9d8014c04bd829bcff42b91186
SHA1

e64f8b6f9092808e8049cbd9c2fe070736db2bcc
SHA256

00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555
SHA512

801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

gpiu.exehedj.exegjwlae.exe

pid process

2604 gpiu.exe
2216 hedj.exe
644 gjwlae.exe

pid	process
2604	gpiu.exe
2216	hedj.exe
644	gjwlae.exe

Drops file in Windows directory 5 IoCs

Processes:

hedj.exe00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exegpiu.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\gjwlae.job	hedj.exe
File created	C:\Windows\Tasks\gpiu.job	00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe
File opened for modification	C:\Windows\Tasks\gpiu.job	00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe
File created	C:\Windows\Tasks\vgurbultjsrjujcrcvf.job	gpiu.exe
File created	C:\Windows\Tasks\gjwlae.job	hedj.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exehedj.exe

pid	process
2276	00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe
2276	00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe
2216	hedj.exe
2216	hedj.exe

C:\Users\Admin\AppData\Local\Temp\00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe
"C:\Users\Admin\AppData\Local\Temp\00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2276

C:\ProgramData\mbwelga\gpiu.exe
C:\ProgramData\mbwelga\gpiu.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2604

C:\Windows\TEMP\hedj.exe
C:\Windows\TEMP\hedj.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\ProgramData\impth\gjwlae.exe
C:\ProgramData\impth\gjwlae.exe start
1⤵
- Executes dropped EXE
PID:644

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\impth\gjwlae.exe

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\ProgramData\impth\gjwlae.exe

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\ProgramData\mbwelga\gpiu.exe

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\ProgramData\mbwelga\gpiu.exe

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\Windows\TEMP\hedj.exe

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\Windows\Tasks\gpiu.job

MD5
a05b23b827a513bbef7cc6dd890a88ab

SHA1
bf4a73c696531cbdfa880d9285ba6007aadd6674

SHA256
f3957be3742fa790c21ec64be3f210df4883f9a2ab931d4133ae77d50495121f

SHA512
ded620a2a3e9b732f36dd63ede726e9399a0a65c6db1b55c2c1323b600e3f170b4b8f1746cc8d1ef2721c27994cd9e4a5de613f537a9f67ce8ec520dc5b53a35

Download Submit
C:\Windows\Temp\hedj.exe

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
memory/644-137-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/644-138-0x00000000004E0000-0x000000000058E000-memory.dmp

Filesize
696KB

Download
memory/644-139-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2216-132-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/2216-133-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2276-119-0x0000000000540000-0x000000000068A000-memory.dmp

Filesize
1.3MB

Download
memory/2276-121-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2276-120-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/2604-127-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2604-126-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2604-125-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download

Analysis

Sharing