systembc | 4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

General

Target

4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe
Size

227KB
MD5

477079b5846088b1e126ae08735d36c1
SHA1

8f26d9582fa44498f7a6abb17e45554ca115ab79
SHA256

4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24
SHA512

2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jtktrxn.exegjhreor.execefrtnx.exe

pid process

2400 jtktrxn.exe
3900 gjhreor.exe
604 cefrtnx.exe

pid	process
2400	jtktrxn.exe
3900	gjhreor.exe
604	cefrtnx.exe

Drops file in Windows directory 5 IoCs

Processes:

4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exejtktrxn.exegjhreor.exe

description	ioc	process
File created	C:\Windows\Tasks\jtktrxn.job	4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe
File opened for modification	C:\Windows\Tasks\jtktrxn.job	4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe
File created	C:\Windows\Tasks\ssvsflqtehhkcofjame.job	jtktrxn.exe
File created	C:\Windows\Tasks\cefrtnx.job	gjhreor.exe
File opened for modification	C:\Windows\Tasks\cefrtnx.job	gjhreor.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exegjhreor.exe

pid	process
1852	4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe
1852	4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe
3900	gjhreor.exe
3900	gjhreor.exe

C:\Users\Admin\AppData\Local\Temp\4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe
"C:\Users\Admin\AppData\Local\Temp\4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\ProgramData\tcoxiso\jtktrxn.exe
C:\ProgramData\tcoxiso\jtktrxn.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2400

C:\Windows\TEMP\gjhreor.exe
C:\Windows\TEMP\gjhreor.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3900

C:\ProgramData\cwrcv\cefrtnx.exe
C:\ProgramData\cwrcv\cefrtnx.exe start
1⤵
- Executes dropped EXE
PID:604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cwrcv\cefrtnx.exe
MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\ProgramData\cwrcv\cefrtnx.exe
MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\ProgramData\tcoxiso\jtktrxn.exe
MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\ProgramData\tcoxiso\jtktrxn.exe
MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\Windows\TEMP\gjhreor.exe
MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\Windows\Tasks\jtktrxn.job
MD5
fdb7fc83c91b6c50b65eab44b1c666e9

SHA1
aa0bc81b24b78e4099bafb77a2e3d206d96f3ce5

SHA256
abc83b3a56aa5936f8e63436543055cdddd5e47f4c5561bafff34756c2d799bf

SHA512
603fe15e8d5a5f2ab762430493ba39bc52800c207a962d8b3065de52a81ac25dab336bf98f79f9ce12c5bf6d8d4b1880e9cdcce6b1835a56a86d1fa9437e6f2b

Download Submit
C:\Windows\Temp\gjhreor.exe
MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
memory/604-139-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/604-138-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/604-137-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/1852-119-0x0000000000739000-0x0000000000742000-memory.dmp

Filesize
36KB

Download
memory/1852-120-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/1852-121-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1852-118-0x0000000000739000-0x0000000000742000-memory.dmp

Filesize
36KB

Download
memory/2400-126-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2400-125-0x0000000000480000-0x000000000052E000-memory.dmp

Filesize
696KB

Download
memory/3900-129-0x0000000000784000-0x000000000078C000-memory.dmp

Filesize
32KB

Download
memory/3900-131-0x0000000000784000-0x000000000078C000-memory.dmp

Filesize
32KB

Download
memory/3900-132-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3900-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download

Analysis

Sharing