systembc | 1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

General

Target

1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe
Size

230KB
MD5

ab09bf44a4158a298817de928ca824ed
SHA1

017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1
SHA256

1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c
SHA512

1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

hokcxw.exepukgqsf.exeakrp.exe

pid process

2208 hokcxw.exe
3464 pukgqsf.exe
1256 akrp.exe

pid	process
2208	hokcxw.exe
3464	pukgqsf.exe
1256	akrp.exe

Drops file in Windows directory 5 IoCs

Processes:

hokcxw.exepukgqsf.exe1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe

description	ioc	process
File created	C:\Windows\Tasks\cumrwsubtsxeafejurw.job	hokcxw.exe
File created	C:\Windows\Tasks\akrp.job	pukgqsf.exe
File opened for modification	C:\Windows\Tasks\akrp.job	pukgqsf.exe
File created	C:\Windows\Tasks\hokcxw.job	1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe
File opened for modification	C:\Windows\Tasks\hokcxw.job	1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exepukgqsf.exe

pid	process
1840	1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe
1840	1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe
3464	pukgqsf.exe
3464	pukgqsf.exe

C:\Users\Admin\AppData\Local\Temp\1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe
"C:\Users\Admin\AppData\Local\Temp\1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1840

C:\ProgramData\fcmjfc\hokcxw.exe
C:\ProgramData\fcmjfc\hokcxw.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2208

C:\Windows\TEMP\pukgqsf.exe
C:\Windows\TEMP\pukgqsf.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3464

C:\ProgramData\eludw\akrp.exe
C:\ProgramData\eludw\akrp.exe start
1⤵
- Executes dropped EXE
PID:1256

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\eludw\akrp.exe

MD5
ab09bf44a4158a298817de928ca824ed

SHA1
017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1

SHA256
1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

SHA512
1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Download Submit
C:\ProgramData\eludw\akrp.exe

MD5
ab09bf44a4158a298817de928ca824ed

SHA1
017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1

SHA256
1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

SHA512
1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Download Submit
C:\ProgramData\fcmjfc\hokcxw.exe

MD5
ab09bf44a4158a298817de928ca824ed

SHA1
017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1

SHA256
1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

SHA512
1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Download Submit
C:\ProgramData\fcmjfc\hokcxw.exe

MD5
ab09bf44a4158a298817de928ca824ed

SHA1
017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1

SHA256
1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

SHA512
1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Download Submit
C:\Windows\TEMP\pukgqsf.exe

MD5
ab09bf44a4158a298817de928ca824ed

SHA1
017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1

SHA256
1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

SHA512
1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Download Submit
C:\Windows\Tasks\hokcxw.job

MD5
f5ea0d8a32bbf7f14bd82853d0cfd44b

SHA1
c0e009dcf2754a6f8a3a5db590d5ec4ce449deac

SHA256
11f9bec4aa7b9420a58871822bfe44c2311b4a3b9d542f0f7f551f92686b23e0

SHA512
fba361b1731623259957644dcdad35493c9f6799d3c16eeaa118975a4a2ed336cad71ad577700a43ee0256ef18e720a8d7fcd7f31a9398f4023302b2e3a1a42f

Download Submit
C:\Windows\Temp\pukgqsf.exe

MD5
ab09bf44a4158a298817de928ca824ed

SHA1
017ecdbe9cf8aab6940ca6fd551971b2d4ba7de1

SHA256
1c78364dfbd92a622c9b580de759242122e8996ad6490885428c5c86b2bcab5c

SHA512
1681ccdd0ddfffd4ebdaff5e2e98d67d00f249ae526ec29869cf3da924074d821baa5044f5e61559702b3dae14cffd2cb0e4ea0d528c7f9f648794dcdb060473

Download Submit
memory/1256-140-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1256-139-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/1256-138-0x00000000004D0000-0x000000000057E000-memory.dmp

Filesize
696KB

Download
memory/1840-119-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/1840-121-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1840-120-0x00000000005B0000-0x00000000006FA000-memory.dmp

Filesize
1.3MB

Download
memory/2208-125-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/2208-127-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2208-126-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/3464-134-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3464-133-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3464-132-0x0000000000744000-0x000000000074D000-memory.dmp

Filesize
36KB

Download
memory/3464-130-0x0000000000744000-0x000000000074D000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing