systembc | 00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

General

Target

b3f12e9d8014c04bd829bcff42b91186.exe
Size

230KB
MD5

b3f12e9d8014c04bd829bcff42b91186
SHA1

e64f8b6f9092808e8049cbd9c2fe070736db2bcc
SHA256

00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555
SHA512

801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jvsovf.execofupgf.exesspdl.exe

pid process

1964 jvsovf.exe
1984 cofupgf.exe
1560 sspdl.exe

pid	process
1964	jvsovf.exe
1984	cofupgf.exe
1560	sspdl.exe

Drops file in Windows directory 5 IoCs

Processes:

b3f12e9d8014c04bd829bcff42b91186.exejvsovf.execofupgf.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\jvsovf.job	b3f12e9d8014c04bd829bcff42b91186.exe
File created	C:\Windows\Tasks\saxedqtmleruruncgxg.job	jvsovf.exe
File created	C:\Windows\Tasks\sspdl.job	cofupgf.exe
File opened for modification	C:\Windows\Tasks\sspdl.job	cofupgf.exe
File created	C:\Windows\Tasks\jvsovf.job	b3f12e9d8014c04bd829bcff42b91186.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b3f12e9d8014c04bd829bcff42b91186.execofupgf.exe

pid process

1924 b3f12e9d8014c04bd829bcff42b91186.exe
1984 cofupgf.exe

pid	process
1924	b3f12e9d8014c04bd829bcff42b91186.exe
1984	cofupgf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 588 wrote to memory of 1964	588	taskeng.exe	jvsovf.exe
PID 588 wrote to memory of 1964	588	taskeng.exe	jvsovf.exe
PID 588 wrote to memory of 1964	588	taskeng.exe	jvsovf.exe
PID 588 wrote to memory of 1964	588	taskeng.exe	jvsovf.exe
PID 588 wrote to memory of 1984	588	taskeng.exe	cofupgf.exe
PID 588 wrote to memory of 1984	588	taskeng.exe	cofupgf.exe
PID 588 wrote to memory of 1984	588	taskeng.exe	cofupgf.exe
PID 588 wrote to memory of 1984	588	taskeng.exe	cofupgf.exe
PID 588 wrote to memory of 1560	588	taskeng.exe	sspdl.exe
PID 588 wrote to memory of 1560	588	taskeng.exe	sspdl.exe
PID 588 wrote to memory of 1560	588	taskeng.exe	sspdl.exe
PID 588 wrote to memory of 1560	588	taskeng.exe	sspdl.exe

C:\Users\Admin\AppData\Local\Temp\b3f12e9d8014c04bd829bcff42b91186.exe
"C:\Users\Admin\AppData\Local\Temp\b3f12e9d8014c04bd829bcff42b91186.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1924

C:\Windows\system32\taskeng.exe
taskeng.exe {25533CB1-F866-4B18-B494-FF39F1269C18} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:588
- C:\ProgramData\kwogark\jvsovf.exe
  C:\ProgramData\kwogark\jvsovf.exe start
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1964
- C:\Windows\TEMP\cofupgf.exe
  C:\Windows\TEMP\cofupgf.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1984
- C:\ProgramData\xvkij\sspdl.exe
  C:\ProgramData\xvkij\sspdl.exe start
  2⤵
  - Executes dropped EXE
  PID:1560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kwogark\jvsovf.exe

Filesize
230KB

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\ProgramData\kwogark\jvsovf.exe

Filesize
230KB

MD5
b3f12e9d8014c04bd829bcff42b91186

SHA1
e64f8b6f9092808e8049cbd9c2fe070736db2bcc

SHA256
00d563277c832ba6a0d12f7b32f5ba19aac623bfaaabc8837d47bd6e985cd555

SHA512
801a0ea4bdad8a1d249fb5001eff9424bc03832097a696b4a462e80146ac7d2aa7907bd50535af1c231c74271b7991e431a45d69da3914c7181e061891f90281

Download Submit
C:\ProgramData\xvkij\sspdl.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\xvkij\sspdl.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\TEMP\cofupgf.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\jvsovf.job

Filesize
234B

MD5
361301c4d2f4e613b24f7a114a1c1752

SHA1
58adba76979246b7d18efbc3af4d6ca9967110ee

SHA256
93717771a74c39eb593d1b7707390856059b104d90e95e8e4e678e055e17a3f6

SHA512
abc16f8e3f72df66354972f7e99aeef9415b21d592cbf07d325c4a7e9cf1d02a99506b04c76a64662e48119a8b158359005eaa805302819aa67cf8d755e77945

Download Submit
C:\Windows\Temp\cofupgf.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/1560-75-0x0000000000000000-mapping.dmp

Download
memory/1560-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1560-79-0x00000000002EE000-0x00000000002F6000-memory.dmp

Filesize
32KB

Download
memory/1560-77-0x00000000002EE000-0x00000000002F6000-memory.dmp

Filesize
32KB

Download
memory/1924-54-0x000000000057E000-0x0000000000587000-memory.dmp

Filesize
36KB

Download
memory/1924-58-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1924-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1924-56-0x000000000057E000-0x0000000000587000-memory.dmp

Filesize
36KB

Download
memory/1924-55-0x0000000074F31000-0x0000000074F33000-memory.dmp

Filesize
8KB

Download
memory/1964-60-0x0000000000000000-mapping.dmp

Download
memory/1964-65-0x0000000000400000-0x000000000047C000-memory.dmp

Filesize
496KB

Download
memory/1964-64-0x00000000008FE000-0x0000000000906000-memory.dmp

Filesize
32KB

Download
memory/1964-62-0x00000000008FE000-0x0000000000906000-memory.dmp

Filesize
32KB

Download
memory/1984-73-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1984-72-0x00000000002EE000-0x00000000002F6000-memory.dmp

Filesize
32KB

Download
memory/1984-69-0x00000000002EE000-0x00000000002F6000-memory.dmp

Filesize
32KB

Download
memory/1984-67-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing