systembc | f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

General

Target

a7cbdc69144242409bce8285135b61f8.exe
Size

223KB
MD5

a7cbdc69144242409bce8285135b61f8
SHA1

73594de56be8beaf92392af56c8bcc2fa44a6eac
SHA256

f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
SHA512

8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rdwexs.exerurddh.exevahpnl.exe

pid process

892 rdwexs.exe
1416 rurddh.exe
1852 vahpnl.exe

pid	process
892	rdwexs.exe
1416	rurddh.exe
1852	vahpnl.exe

Drops file in Windows directory 5 IoCs

Processes:

rdwexs.exerurddh.exea7cbdc69144242409bce8285135b61f8.exe

description	ioc	process
File created	C:\Windows\Tasks\ljlagbrplilwkenstgp.job	rdwexs.exe
File created	C:\Windows\Tasks\vahpnl.job	rurddh.exe
File opened for modification	C:\Windows\Tasks\vahpnl.job	rurddh.exe
File created	C:\Windows\Tasks\rdwexs.job	a7cbdc69144242409bce8285135b61f8.exe
File opened for modification	C:\Windows\Tasks\rdwexs.job	a7cbdc69144242409bce8285135b61f8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

a7cbdc69144242409bce8285135b61f8.exerurddh.exe

pid process

1280 a7cbdc69144242409bce8285135b61f8.exe
1416 rurddh.exe

pid	process
1280	a7cbdc69144242409bce8285135b61f8.exe
1416	rurddh.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 672 wrote to memory of 892	672	taskeng.exe	rdwexs.exe
PID 672 wrote to memory of 892	672	taskeng.exe	rdwexs.exe
PID 672 wrote to memory of 892	672	taskeng.exe	rdwexs.exe
PID 672 wrote to memory of 892	672	taskeng.exe	rdwexs.exe
PID 672 wrote to memory of 1416	672	taskeng.exe	rurddh.exe
PID 672 wrote to memory of 1416	672	taskeng.exe	rurddh.exe
PID 672 wrote to memory of 1416	672	taskeng.exe	rurddh.exe
PID 672 wrote to memory of 1416	672	taskeng.exe	rurddh.exe
PID 672 wrote to memory of 1852	672	taskeng.exe	vahpnl.exe
PID 672 wrote to memory of 1852	672	taskeng.exe	vahpnl.exe
PID 672 wrote to memory of 1852	672	taskeng.exe	vahpnl.exe
PID 672 wrote to memory of 1852	672	taskeng.exe	vahpnl.exe

C:\Users\Admin\AppData\Local\Temp\a7cbdc69144242409bce8285135b61f8.exe
"C:\Users\Admin\AppData\Local\Temp\a7cbdc69144242409bce8285135b61f8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\system32\taskeng.exe
taskeng.exe {E2C299B4-E4F7-498C-A899-6EB0345F580A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:672
- C:\ProgramData\garkuht\rdwexs.exe
  C:\ProgramData\garkuht\rdwexs.exe start
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:892
- C:\Windows\TEMP\rurddh.exe
  C:\Windows\TEMP\rurddh.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\ProgramData\bpmmh\vahpnl.exe
  C:\ProgramData\bpmmh\vahpnl.exe start
  2⤵
  - Executes dropped EXE
  PID:1852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bpmmh\vahpnl.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\bpmmh\vahpnl.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\garkuht\rdwexs.exe

MD5
a7cbdc69144242409bce8285135b61f8

SHA1
73594de56be8beaf92392af56c8bcc2fa44a6eac

SHA256
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

SHA512
8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3

Download Submit
C:\ProgramData\garkuht\rdwexs.exe

MD5
a7cbdc69144242409bce8285135b61f8

SHA1
73594de56be8beaf92392af56c8bcc2fa44a6eac

SHA256
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

SHA512
8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3

Download Submit
C:\Windows\TEMP\rurddh.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\Windows\Tasks\rdwexs.job

MD5
ee7f1d7f4b62b816ae92e3041ce395c4

SHA1
84f305a3bd2b8e05966e4f525025e0d5e2e180df

SHA256
7c9d7e9acd67ec734b77cc7f252ba1652b15f21baf56311b0763adb36828aa72

SHA512
a036e1e58f5798fa6e0184eb0d57cf7163d539921699f632ee6951990a1715b3850baa21885cfcb5d658a624a774c25065845c73a7cc9759013fea905c8ca187

Download Submit
C:\Windows\Temp\rurddh.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
memory/892-60-0x0000000000000000-mapping.dmp

Download
memory/892-62-0x000000000059E000-0x00000000005A7000-memory.dmp

Filesize
36KB

Download
memory/892-64-0x000000000059E000-0x00000000005A7000-memory.dmp

Filesize
36KB

Download
memory/892-65-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/892-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1280-57-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1280-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1280-54-0x00000000005DE000-0x00000000005E7000-memory.dmp

Filesize
36KB

Download
memory/1280-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1280-55-0x00000000005DE000-0x00000000005E7000-memory.dmp

Filesize
36KB

Download
memory/1416-68-0x0000000000000000-mapping.dmp

Download
memory/1416-70-0x00000000005CE000-0x00000000005D6000-memory.dmp

Filesize
32KB

Download
memory/1416-73-0x00000000005CE000-0x00000000005D6000-memory.dmp

Filesize
32KB

Download
memory/1416-74-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1852-76-0x0000000000000000-mapping.dmp

Download
memory/1852-78-0x00000000005EE000-0x00000000005F6000-memory.dmp

Filesize
32KB

Download
memory/1852-80-0x00000000005EE000-0x00000000005F6000-memory.dmp

Filesize
32KB

Download
memory/1852-81-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing