systembc | f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

General

Target

a7cbdc69144242409bce8285135b61f8.exe
Size

223KB
MD5

a7cbdc69144242409bce8285135b61f8
SHA1

73594de56be8beaf92392af56c8bcc2fa44a6eac
SHA256

f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d
SHA512

8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

wgavl.exeahjp.exerobt.exe

pid process

3296 wgavl.exe
4044 ahjp.exe
4056 robt.exe

pid	process
3296	wgavl.exe
4044	ahjp.exe
4056	robt.exe

Drops file in Windows directory 5 IoCs

Processes:

ahjp.exea7cbdc69144242409bce8285135b61f8.exewgavl.exe

description	ioc	process
File created	C:\Windows\Tasks\robt.job	ahjp.exe
File opened for modification	C:\Windows\Tasks\robt.job	ahjp.exe
File created	C:\Windows\Tasks\wgavl.job	a7cbdc69144242409bce8285135b61f8.exe
File opened for modification	C:\Windows\Tasks\wgavl.job	a7cbdc69144242409bce8285135b61f8.exe
File created	C:\Windows\Tasks\awwvxtjftplhvrhdxsj.job	wgavl.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4496 3664 WerFault.exe a7cbdc69144242409bce8285135b61f8.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a7cbdc69144242409bce8285135b61f8.exeahjp.exe

pid process

3664 a7cbdc69144242409bce8285135b61f8.exe
3664 a7cbdc69144242409bce8285135b61f8.exe
4044 ahjp.exe
4044 ahjp.exe

pid	pid_target	process	target process
4496	3664	WerFault.exe	a7cbdc69144242409bce8285135b61f8.exe

pid	process
3664	a7cbdc69144242409bce8285135b61f8.exe
3664	a7cbdc69144242409bce8285135b61f8.exe
4044	ahjp.exe
4044	ahjp.exe

C:\Users\Admin\AppData\Local\Temp\a7cbdc69144242409bce8285135b61f8.exe
"C:\Users\Admin\AppData\Local\Temp\a7cbdc69144242409bce8285135b61f8.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 484
  2⤵
  - Program crash
  PID:4496

C:\ProgramData\fcsinj\wgavl.exe
C:\ProgramData\fcsinj\wgavl.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3664 -ip 3664
1⤵
PID:4332

C:\Windows\TEMP\ahjp.exe
C:\Windows\TEMP\ahjp.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4044

C:\ProgramData\neee\robt.exe
C:\ProgramData\neee\robt.exe start
1⤵
- Executes dropped EXE
PID:4056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fcsinj\wgavl.exe

MD5
a7cbdc69144242409bce8285135b61f8

SHA1
73594de56be8beaf92392af56c8bcc2fa44a6eac

SHA256
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

SHA512
8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3

Download Submit
C:\ProgramData\fcsinj\wgavl.exe

MD5
a7cbdc69144242409bce8285135b61f8

SHA1
73594de56be8beaf92392af56c8bcc2fa44a6eac

SHA256
f891e10c9a7b6d0cbbbb6b3d103cf3dc935541430c5363648e6e1a3203bdd76d

SHA512
8f80815e16cdf899946bef69f7068cd8f8c1877e803bffc31a09195e18720a6149205f0dde7428894a81d09c41969d3e7e58d41b670354ec8095ea8e05c86bf3

Download Submit
C:\ProgramData\neee\robt.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\neee\robt.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\Windows\TEMP\ahjp.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\Windows\Tasks\wgavl.job

MD5
511470d9d9dfe8ddb3275d4dd4d748d1

SHA1
159e524cb198ce8c0377f04ed159f0dd1ac072d3

SHA256
5039e46ebbdbcab5d8a54a4758f2ddb0e7ea5d40fff5f994477b890bfe536962

SHA512
dafe8a085532c8dc03df172487500d2e52b9b25055e424608f83a48df9c5f5eff86268afbad8697ecc52f75a67cb5d9bc5630268c843bce52d0a2eb18cccb0e4

Download Submit
C:\Windows\Temp\ahjp.exe

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
memory/3296-136-0x0000000000695000-0x000000000069E000-memory.dmp

Filesize
36KB

Download
memory/3296-138-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/3296-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3296-137-0x0000000000695000-0x000000000069E000-memory.dmp

Filesize
36KB

Download
memory/3664-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/3664-130-0x00000000004D8000-0x00000000004E1000-memory.dmp

Filesize
36KB

Download
memory/3664-132-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/3664-131-0x00000000004D8000-0x00000000004E1000-memory.dmp

Filesize
36KB

Download
memory/4044-142-0x0000000000745000-0x000000000074E000-memory.dmp

Filesize
36KB

Download
memory/4044-144-0x0000000000745000-0x000000000074E000-memory.dmp

Filesize
36KB

Download
memory/4044-145-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/4056-148-0x00000000004F5000-0x00000000004FE000-memory.dmp

Filesize
36KB

Download
memory/4056-149-0x00000000004F5000-0x00000000004FE000-memory.dmp

Filesize
36KB

Download
memory/4056-150-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads