systembc | dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

General

Target

dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe
Size

271KB
MD5

5d4833eb214c52f6b08a50ce6c4f17dd
SHA1

c7da5144c19e720cf74138e76ff4a011cfd7fa55
SHA256

dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb
SHA512

cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

vxhrlh.exewcgtcm.exelucxub.exe

pid process

3848 vxhrlh.exe
3804 wcgtcm.exe
1788 lucxub.exe

pid	process
3848	vxhrlh.exe
3804	wcgtcm.exe
1788	lucxub.exe

Drops file in Windows directory 5 IoCs

Processes:

vxhrlh.exewcgtcm.exedd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe

description	ioc	process
File created	C:\Windows\Tasks\gwgplhuvhxgjnxankvw.job	vxhrlh.exe
File created	C:\Windows\Tasks\lucxub.job	wcgtcm.exe
File opened for modification	C:\Windows\Tasks\lucxub.job	wcgtcm.exe
File created	C:\Windows\Tasks\vxhrlh.job	dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe
File opened for modification	C:\Windows\Tasks\vxhrlh.job	dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exewcgtcm.exe

pid	process
2388	dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe
2388	dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe
3804	wcgtcm.exe
3804	wcgtcm.exe

C:\Users\Admin\AppData\Local\Temp\dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe
"C:\Users\Admin\AppData\Local\Temp\dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2388

C:\ProgramData\mavhhqo\vxhrlh.exe
C:\ProgramData\mavhhqo\vxhrlh.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3848

C:\Windows\TEMP\wcgtcm.exe
C:\Windows\TEMP\wcgtcm.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3804

C:\ProgramData\ddmjpp\lucxub.exe
C:\ProgramData\ddmjpp\lucxub.exe start
1⤵
- Executes dropped EXE
PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ddmjpp\lucxub.exe
Filesize
271KB

MD5
5d4833eb214c52f6b08a50ce6c4f17dd

SHA1
c7da5144c19e720cf74138e76ff4a011cfd7fa55

SHA256
dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

SHA512
cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Download Submit
C:\ProgramData\ddmjpp\lucxub.exe
Filesize
271KB

MD5
5d4833eb214c52f6b08a50ce6c4f17dd

SHA1
c7da5144c19e720cf74138e76ff4a011cfd7fa55

SHA256
dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

SHA512
cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Download Submit
C:\ProgramData\mavhhqo\vxhrlh.exe
Filesize
271KB

MD5
5d4833eb214c52f6b08a50ce6c4f17dd

SHA1
c7da5144c19e720cf74138e76ff4a011cfd7fa55

SHA256
dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

SHA512
cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Download Submit
C:\ProgramData\mavhhqo\vxhrlh.exe
Filesize
271KB

MD5
5d4833eb214c52f6b08a50ce6c4f17dd

SHA1
c7da5144c19e720cf74138e76ff4a011cfd7fa55

SHA256
dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

SHA512
cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Download Submit
C:\Windows\TEMP\wcgtcm.exe
Filesize
271KB

MD5
5d4833eb214c52f6b08a50ce6c4f17dd

SHA1
c7da5144c19e720cf74138e76ff4a011cfd7fa55

SHA256
dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

SHA512
cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Download Submit
C:\Windows\Tasks\vxhrlh.job
Filesize
252B

MD5
e008eedbb5374f3d90b0219dd98f8636

SHA1
49f7d7d035d6c688ce5267d86496ec8bc903dbe9

SHA256
5e76773e989139bf3c6d4c96dc5fe1172c0a4f5b7c691644ec974ce289a21db7

SHA512
9293c1936dfa48fe31f1d7ba9a037c1f5d249d7111f26acccabdc5cd29e1554aad80f59985ce49ea3cd328e94b2fc927e8d9f72589580069a7f527525eb6e835

Download Submit
C:\Windows\Temp\wcgtcm.exe
Filesize
271KB

MD5
5d4833eb214c52f6b08a50ce6c4f17dd

SHA1
c7da5144c19e720cf74138e76ff4a011cfd7fa55

SHA256
dd66596565f3e21ea6a94a8b54a5c14ba82f55c80e129444831ba2fca75fd5cb

SHA512
cbc89227024d622f26b0a6ee1213c8a8b9e02bc5fad558c6a3b5afd5651bf6788a2590d98e31a930f4623dfea575d10b8256ccd696d2db03a16bedea25bba24a

Download Submit
memory/1788-133-0x00000000006F4000-0x00000000006FD000-memory.dmp

Filesize
36KB

Download
memory/2388-115-0x0000000000490000-0x000000000053E000-memory.dmp

Filesize
696KB

Download
memory/2388-117-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/2388-116-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/3804-126-0x00000000006B4000-0x00000000006BC000-memory.dmp

Filesize
32KB

Download
memory/3804-128-0x00000000006B4000-0x00000000006BC000-memory.dmp

Filesize
32KB

Download
memory/3804-129-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/3804-130-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3848-123-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3848-120-0x0000000000784000-0x000000000078D000-memory.dmp

Filesize
36KB

Download
memory/3848-121-0x0000000000784000-0x000000000078D000-memory.dmp

Filesize
36KB

Download
memory/3848-122-0x0000000000490000-0x00000000005DA000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing