systembc | 1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

General

Target

503506554b1cfa84d2301e262beeb1f2.exe
Size

223KB
MD5

503506554b1cfa84d2301e262beeb1f2
SHA1

7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA256

1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512

bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

txiqruv.exerphui.exekrbia.exe

pid process

1476 txiqruv.exe
1164 rphui.exe
1000 krbia.exe

pid	process
1476	txiqruv.exe
1164	rphui.exe
1000	krbia.exe

Drops file in Windows directory 5 IoCs

Processes:

503506554b1cfa84d2301e262beeb1f2.exetxiqruv.exerphui.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\txiqruv.job	503506554b1cfa84d2301e262beeb1f2.exe
File created	C:\Windows\Tasks\osxucagdjgmkqntqwuc.job	txiqruv.exe
File created	C:\Windows\Tasks\krbia.job	rphui.exe
File opened for modification	C:\Windows\Tasks\krbia.job	rphui.exe
File created	C:\Windows\Tasks\txiqruv.job	503506554b1cfa84d2301e262beeb1f2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

503506554b1cfa84d2301e262beeb1f2.exerphui.exe

pid process

2032 503506554b1cfa84d2301e262beeb1f2.exe
1164 rphui.exe

pid	process
2032	503506554b1cfa84d2301e262beeb1f2.exe
1164	rphui.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1684 wrote to memory of 1476	1684	taskeng.exe	txiqruv.exe
PID 1684 wrote to memory of 1476	1684	taskeng.exe	txiqruv.exe
PID 1684 wrote to memory of 1476	1684	taskeng.exe	txiqruv.exe
PID 1684 wrote to memory of 1476	1684	taskeng.exe	txiqruv.exe
PID 1684 wrote to memory of 1164	1684	taskeng.exe	rphui.exe
PID 1684 wrote to memory of 1164	1684	taskeng.exe	rphui.exe
PID 1684 wrote to memory of 1164	1684	taskeng.exe	rphui.exe
PID 1684 wrote to memory of 1164	1684	taskeng.exe	rphui.exe
PID 1684 wrote to memory of 1000	1684	taskeng.exe	krbia.exe
PID 1684 wrote to memory of 1000	1684	taskeng.exe	krbia.exe
PID 1684 wrote to memory of 1000	1684	taskeng.exe	krbia.exe
PID 1684 wrote to memory of 1000	1684	taskeng.exe	krbia.exe

C:\Users\Admin\AppData\Local\Temp\503506554b1cfa84d2301e262beeb1f2.exe
"C:\Users\Admin\AppData\Local\Temp\503506554b1cfa84d2301e262beeb1f2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Windows\system32\taskeng.exe
taskeng.exe {46E1E8B5-8370-4619-BA45-C1D0FACE4711} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\ProgramData\dtcjqx\txiqruv.exe
  C:\ProgramData\dtcjqx\txiqruv.exe start
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1476
- C:\Windows\TEMP\rphui.exe
  C:\Windows\TEMP\rphui.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1164
- C:\ProgramData\eqbslpr\krbia.exe
  C:\ProgramData\eqbslpr\krbia.exe start
  2⤵
  - Executes dropped EXE
  PID:1000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dtcjqx\txiqruv.exe

Filesize
223KB

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\dtcjqx\txiqruv.exe

Filesize
223KB

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\eqbslpr\krbia.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\eqbslpr\krbia.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\TEMP\rphui.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\txiqruv.job

Filesize
234B

MD5
0d2a324ca6d9821fc312a747890bc4d5

SHA1
b1fec3158cec8469e403a5a58469a5a7124a8f62

SHA256
c1f2e926633481e0a77759f8ddb78372fcb874880c4b87f2e08b94843bcbfbc3

SHA512
6aad6a079115cefccae078f8cd717415d914edb7a78308dfbcd69561858ec2865ae23f4e06705c4f81533d168e92074d4f56cc2605dfb5713d1886769afc5be1

Download Submit
C:\Windows\Temp\rphui.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/1000-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1000-79-0x000000000026E000-0x0000000000276000-memory.dmp

Filesize
32KB

Download
memory/1000-77-0x000000000026E000-0x0000000000276000-memory.dmp

Filesize
32KB

Download
memory/1000-75-0x0000000000000000-mapping.dmp

Download
memory/1164-72-0x0000000000230000-0x0000000000330000-memory.dmp

Filesize
1024KB

Download
memory/1164-67-0x0000000000000000-mapping.dmp

Download
memory/1164-73-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1476-65-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1476-64-0x000000000061E000-0x0000000000626000-memory.dmp

Filesize
32KB

Download
memory/1476-62-0x000000000061E000-0x0000000000626000-memory.dmp

Filesize
32KB

Download
memory/1476-60-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x000000000028E000-0x0000000000297000-memory.dmp

Filesize
36KB

Download
memory/2032-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2032-57-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/2032-56-0x000000000028E000-0x0000000000297000-memory.dmp

Filesize
36KB

Download
memory/2032-55-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing