systembc | e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

General

Target

e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe
Size

229KB
MD5

2da57db157586f8d96d3bf2cffa4b630
SHA1

b1225c324df88955b9da69b85e3788b645e8684f
SHA256

e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5
SHA512

f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

spjx.exepmvf.exexrjpn.exe

pid process

2996 spjx.exe
1936 pmvf.exe
4248 xrjpn.exe

pid	process
2996	spjx.exe
1936	pmvf.exe
4248	xrjpn.exe

Drops file in Windows directory 5 IoCs

Processes:

e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exespjx.exepmvf.exe

description	ioc	process
File created	C:\Windows\Tasks\spjx.job	e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe
File opened for modification	C:\Windows\Tasks\spjx.job	e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe
File created	C:\Windows\Tasks\ieldpdpdpdpdpdpdpdp.job	spjx.exe
File created	C:\Windows\Tasks\xrjpn.job	pmvf.exe
File opened for modification	C:\Windows\Tasks\xrjpn.job	pmvf.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2596 3768 WerFault.exe e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe

pid	pid_target	process	target process
2596	3768	WerFault.exe	e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exepmvf.exe

pid	process
3768	e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe
3768	e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe
1936	pmvf.exe
1936	pmvf.exe

C:\Users\Admin\AppData\Local\Temp\e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe
"C:\Users\Admin\AppData\Local\Temp\e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3768
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3768 -s 956
  2⤵
  - Program crash
  PID:2596

C:\ProgramData\taewvgp\spjx.exe
C:\ProgramData\taewvgp\spjx.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3768 -ip 3768
1⤵
PID:3608

C:\Windows\TEMP\pmvf.exe
C:\Windows\TEMP\pmvf.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1936

C:\ProgramData\dcqkcor\xrjpn.exe
C:\ProgramData\dcqkcor\xrjpn.exe start
1⤵
- Executes dropped EXE
PID:4248

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dcqkcor\xrjpn.exe

MD5
2da57db157586f8d96d3bf2cffa4b630

SHA1
b1225c324df88955b9da69b85e3788b645e8684f

SHA256
e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

SHA512
f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Download Submit
C:\ProgramData\dcqkcor\xrjpn.exe

MD5
2da57db157586f8d96d3bf2cffa4b630

SHA1
b1225c324df88955b9da69b85e3788b645e8684f

SHA256
e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

SHA512
f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Download Submit
C:\ProgramData\taewvgp\spjx.exe

MD5
2da57db157586f8d96d3bf2cffa4b630

SHA1
b1225c324df88955b9da69b85e3788b645e8684f

SHA256
e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

SHA512
f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Download Submit
C:\ProgramData\taewvgp\spjx.exe

MD5
2da57db157586f8d96d3bf2cffa4b630

SHA1
b1225c324df88955b9da69b85e3788b645e8684f

SHA256
e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

SHA512
f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Download Submit
C:\Windows\TEMP\pmvf.exe

MD5
2da57db157586f8d96d3bf2cffa4b630

SHA1
b1225c324df88955b9da69b85e3788b645e8684f

SHA256
e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

SHA512
f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Download Submit
C:\Windows\Tasks\spjx.job

MD5
cb9b4773437728c35bd4bc3e89d8dfa5

SHA1
5ee399bf1146a1ee08ae52348b6fb7b5388ef470

SHA256
17f9b50a32373f8e6fac63b5bc437ada497a3ed70d0dab1de67761539d0d7385

SHA512
b45d9fc23b943ba71117c8dcf5eee99ff9e9706f06a039193070130cc6eb436679cdf27adec8c0b594c6894a19c634e25cac2fd943b4f29ff2aac449b4a376e2

Download Submit
C:\Windows\Temp\pmvf.exe

MD5
2da57db157586f8d96d3bf2cffa4b630

SHA1
b1225c324df88955b9da69b85e3788b645e8684f

SHA256
e960e512b8735a1e90204bf95090e4c8212ffeca04ea5129c9377e4a3c7e16f5

SHA512
f680298390f2ad172faf870c8bb4ab778a55d698bc27460c9f98a0cf76ed4897b2d600c89b4d3ca5be583e8dfaabd6ab9902befac4c89a1c909129a539c15c77

Download Submit
memory/1936-141-0x0000000000519000-0x0000000000521000-memory.dmp

Filesize
32KB

Download
memory/1936-143-0x0000000000519000-0x0000000000521000-memory.dmp

Filesize
32KB

Download
memory/1936-144-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/2996-136-0x00000000004F9000-0x0000000000501000-memory.dmp

Filesize
32KB

Download
memory/2996-137-0x00000000004F9000-0x0000000000501000-memory.dmp

Filesize
32KB

Download
memory/2996-138-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3768-133-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/3768-130-0x000000000061C000-0x0000000000625000-memory.dmp

Filesize
36KB

Download
memory/3768-132-0x00000000005D0000-0x00000000005D9000-memory.dmp

Filesize
36KB

Download
memory/3768-131-0x000000000061C000-0x0000000000625000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing