systembc | 79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

General

Target

79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe
Size

223KB
MD5

a0e7217dd5f2bc9173909d48dae3fbab
SHA1

5a7465ca0541374f63cf1a8587ec44184b6109b7
SHA256

79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f
SHA512

a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

nqmw.exexdrb.exedcdtvg.exe

pid process

4660 nqmw.exe
796 xdrb.exe
3788 dcdtvg.exe

pid	process
4660	nqmw.exe
796	xdrb.exe
3788	dcdtvg.exe

Drops file in Windows directory 5 IoCs

Processes:

nqmw.exexdrb.exe79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe

description	ioc	process
File created	C:\Windows\Tasks\gqrbaotjfdikfwdonjx.job	nqmw.exe
File created	C:\Windows\Tasks\dcdtvg.job	xdrb.exe
File opened for modification	C:\Windows\Tasks\dcdtvg.job	xdrb.exe
File created	C:\Windows\Tasks\nqmw.job	79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe
File opened for modification	C:\Windows\Tasks\nqmw.job	79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3660 1888 WerFault.exe 79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe

pid	pid_target	process	target process
3660	1888	WerFault.exe	79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exexdrb.exe

pid	process
1888	79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe
1888	79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe
796	xdrb.exe
796	xdrb.exe

C:\Users\Admin\AppData\Local\Temp\79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe
"C:\Users\Admin\AppData\Local\Temp\79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1888
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 484
  2⤵
  - Program crash
  PID:3660

C:\ProgramData\sgeu\nqmw.exe
C:\ProgramData\sgeu\nqmw.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1888 -ip 1888
1⤵
PID:4192

C:\Windows\TEMP\xdrb.exe
C:\Windows\TEMP\xdrb.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\ProgramData\shvfv\dcdtvg.exe
C:\ProgramData\shvfv\dcdtvg.exe start
1⤵
- Executes dropped EXE
PID:3788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sgeu\nqmw.exe

MD5
a0e7217dd5f2bc9173909d48dae3fbab

SHA1
5a7465ca0541374f63cf1a8587ec44184b6109b7

SHA256
79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

SHA512
a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Download Submit
C:\ProgramData\sgeu\nqmw.exe

MD5
a0e7217dd5f2bc9173909d48dae3fbab

SHA1
5a7465ca0541374f63cf1a8587ec44184b6109b7

SHA256
79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

SHA512
a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Download Submit
C:\ProgramData\shvfv\dcdtvg.exe

MD5
a0e7217dd5f2bc9173909d48dae3fbab

SHA1
5a7465ca0541374f63cf1a8587ec44184b6109b7

SHA256
79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

SHA512
a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Download Submit
C:\ProgramData\shvfv\dcdtvg.exe

MD5
a0e7217dd5f2bc9173909d48dae3fbab

SHA1
5a7465ca0541374f63cf1a8587ec44184b6109b7

SHA256
79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

SHA512
a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Download Submit
C:\Windows\TEMP\xdrb.exe

MD5
a0e7217dd5f2bc9173909d48dae3fbab

SHA1
5a7465ca0541374f63cf1a8587ec44184b6109b7

SHA256
79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

SHA512
a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Download Submit
C:\Windows\Tasks\nqmw.job

MD5
bebae4bd2b27f97a618380c219dcd60c

SHA1
c3417ddd9a95e0c4d6cad4ed9cf3f8700971ccfc

SHA256
58d2a5b4c0192f57eee9bbcae03f1be3f00597aa34757f7cfd262bfa782c3b08

SHA512
10d4dbca5aae217b66079cfd36577f4f13da60ea13d9286be13454f8ddd4d4c15b7dfedf3f55b9a66d5b5f9a6909159ca98e7f87ead8a0f0640479d07635da72

Download Submit
C:\Windows\Temp\xdrb.exe

MD5
a0e7217dd5f2bc9173909d48dae3fbab

SHA1
5a7465ca0541374f63cf1a8587ec44184b6109b7

SHA256
79edc7bfd3e3b2c209ccbd32b32653d7b3613d9b586190e64ac44e05e745676f

SHA512
a756ed124f5a4354c2dabec14222d27fa0583b2c4bad305ad350713e207db351d12592cced859d1376fceea5f4342ff863210d8d90e94d18660fe6c7aebd3d41

Download Submit
memory/796-141-0x00000000007A5000-0x00000000007AE000-memory.dmp

Filesize
36KB

Download
memory/796-143-0x00000000007A5000-0x00000000007AE000-memory.dmp

Filesize
36KB

Download
memory/796-144-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1888-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1888-130-0x0000000000588000-0x0000000000591000-memory.dmp

Filesize
36KB

Download
memory/1888-132-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1888-131-0x0000000000588000-0x0000000000591000-memory.dmp

Filesize
36KB

Download
memory/4660-136-0x00000000004A5000-0x00000000004AE000-memory.dmp

Filesize
36KB

Download
memory/4660-137-0x00000000004A5000-0x00000000004AE000-memory.dmp

Filesize
36KB

Download
memory/4660-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing