systembc | 7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

General

Target

7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe
Size

230KB
MD5

1084219642d497a177c7a02c9c31b193
SHA1

d98644be834e7d3d12346956986f40fb6f50cdf9
SHA256

7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3
SHA512

a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

rqwusp.exeacavga.exeakvnsgs.exe

pid process

3888 rqwusp.exe
440 acavga.exe
3772 akvnsgs.exe

pid	process
3888	rqwusp.exe
440	acavga.exe
3772	akvnsgs.exe

Drops file in Windows directory 5 IoCs

Processes:

7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exerqwusp.exeacavga.exe

description	ioc	process
File created	C:\Windows\Tasks\rqwusp.job	7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe
File opened for modification	C:\Windows\Tasks\rqwusp.job	7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe
File created	C:\Windows\Tasks\xklrlajdoxmbpeshvkx.job	rqwusp.exe
File created	C:\Windows\Tasks\akvnsgs.job	acavga.exe
File opened for modification	C:\Windows\Tasks\akvnsgs.job	acavga.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exeacavga.exe

pid	process
3984	7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe
3984	7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe
440	acavga.exe
440	acavga.exe

C:\Users\Admin\AppData\Local\Temp\7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe
"C:\Users\Admin\AppData\Local\Temp\7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\ProgramData\icmm\rqwusp.exe
C:\ProgramData\icmm\rqwusp.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3888

C:\Windows\TEMP\acavga.exe
C:\Windows\TEMP\acavga.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:440

C:\ProgramData\hdmlk\akvnsgs.exe
C:\ProgramData\hdmlk\akvnsgs.exe start
1⤵
- Executes dropped EXE
PID:3772

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\hdmlk\akvnsgs.exe

MD5
1084219642d497a177c7a02c9c31b193

SHA1
d98644be834e7d3d12346956986f40fb6f50cdf9

SHA256
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

SHA512
a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Download Submit
C:\ProgramData\hdmlk\akvnsgs.exe

MD5
1084219642d497a177c7a02c9c31b193

SHA1
d98644be834e7d3d12346956986f40fb6f50cdf9

SHA256
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

SHA512
a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Download Submit
C:\ProgramData\icmm\rqwusp.exe

MD5
1084219642d497a177c7a02c9c31b193

SHA1
d98644be834e7d3d12346956986f40fb6f50cdf9

SHA256
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

SHA512
a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Download Submit
C:\ProgramData\icmm\rqwusp.exe

MD5
1084219642d497a177c7a02c9c31b193

SHA1
d98644be834e7d3d12346956986f40fb6f50cdf9

SHA256
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

SHA512
a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Download Submit
C:\Windows\TEMP\acavga.exe

MD5
1084219642d497a177c7a02c9c31b193

SHA1
d98644be834e7d3d12346956986f40fb6f50cdf9

SHA256
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

SHA512
a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Download Submit
C:\Windows\Tasks\rqwusp.job

MD5
86cfb894b27d69bfbc32cf55eca54684

SHA1
c85e47556f9836cbf4c14af85e10300e907b1155

SHA256
43ce8dd02bc8edd4e068abaa219eeca3e7097707ebbea49cb4385a0fd92e5ba7

SHA512
259edd38f2844a588f1b9ef8c5f9729ff62d395a62936e860c3af2aac07303487945b73877ed02d2f4101b3be31dc1144c74e2a37fe6f5b75ecb8b7d834b4878

Download Submit
C:\Windows\Temp\acavga.exe

MD5
1084219642d497a177c7a02c9c31b193

SHA1
d98644be834e7d3d12346956986f40fb6f50cdf9

SHA256
7861180570ecfb48fccc3e1cff748974c64e58c31530aee4f9243af810200cc3

SHA512
a9e47b2fc6c67ce395adf4f74d4eeb0ecd6ebe79062b61625acb95b6ce7fce0f95adb0b10985ade965c61190564c2a2345be119c3c5c4a6bd99e346495dd82bb

Download Submit
memory/440-129-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/440-126-0x00000000005D4000-0x00000000005DD000-memory.dmp

Filesize
36KB

Download
memory/440-128-0x00000000005D4000-0x00000000005DD000-memory.dmp

Filesize
36KB

Download
memory/3772-135-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3772-134-0x0000000000480000-0x00000000005CA000-memory.dmp

Filesize
1.3MB

Download
memory/3772-133-0x0000000000784000-0x000000000078D000-memory.dmp

Filesize
36KB

Download
memory/3772-132-0x0000000000784000-0x000000000078D000-memory.dmp

Filesize
36KB

Download
memory/3888-123-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3888-122-0x00000000008B0000-0x00000000008B9000-memory.dmp

Filesize
36KB

Download
memory/3888-121-0x0000000000560000-0x00000000006AA000-memory.dmp

Filesize
1.3MB

Download
memory/3984-116-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/3984-115-0x0000000000719000-0x0000000000722000-memory.dmp

Filesize
36KB

Download
memory/3984-117-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3984-114-0x0000000000719000-0x0000000000722000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing