systembc | 1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

General

Target

503506554b1cfa84d2301e262beeb1f2.exe
Size

223KB
MD5

503506554b1cfa84d2301e262beeb1f2
SHA1

7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9
SHA256

1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f
SHA512

bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

niwlbbp.exewxlkwvk.exewbteic.exe

pid process

1824 niwlbbp.exe
940 wxlkwvk.exe
5016 wbteic.exe

pid	process
1824	niwlbbp.exe
940	wxlkwvk.exe
5016	wbteic.exe

Drops file in Windows directory 5 IoCs

Processes:

wxlkwvk.exe503506554b1cfa84d2301e262beeb1f2.exeniwlbbp.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wbteic.job	wxlkwvk.exe
File created	C:\Windows\Tasks\niwlbbp.job	503506554b1cfa84d2301e262beeb1f2.exe
File opened for modification	C:\Windows\Tasks\niwlbbp.job	503506554b1cfa84d2301e262beeb1f2.exe
File created	C:\Windows\Tasks\biumbdksgivemockwti.job	niwlbbp.exe
File created	C:\Windows\Tasks\wbteic.job	wxlkwvk.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4184 628 WerFault.exe 503506554b1cfa84d2301e262beeb1f2.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

503506554b1cfa84d2301e262beeb1f2.exewxlkwvk.exe

pid process

628 503506554b1cfa84d2301e262beeb1f2.exe
628 503506554b1cfa84d2301e262beeb1f2.exe
940 wxlkwvk.exe
940 wxlkwvk.exe

pid	pid_target	process	target process
4184	628	WerFault.exe	503506554b1cfa84d2301e262beeb1f2.exe

pid	process
628	503506554b1cfa84d2301e262beeb1f2.exe
628	503506554b1cfa84d2301e262beeb1f2.exe
940	wxlkwvk.exe
940	wxlkwvk.exe

C:\Users\Admin\AppData\Local\Temp\503506554b1cfa84d2301e262beeb1f2.exe
"C:\Users\Admin\AppData\Local\Temp\503506554b1cfa84d2301e262beeb1f2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:628
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 628 -s 948
  2⤵
  - Program crash
  PID:4184

C:\ProgramData\tpufupa\niwlbbp.exe
C:\ProgramData\tpufupa\niwlbbp.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 628 -ip 628
1⤵
PID:2284

C:\Windows\TEMP\wxlkwvk.exe
C:\Windows\TEMP\wxlkwvk.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:940

C:\ProgramData\xpggw\wbteic.exe
C:\ProgramData\xpggw\wbteic.exe start
1⤵
- Executes dropped EXE
PID:5016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\tpufupa\niwlbbp.exe

Filesize
223KB

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\tpufupa\niwlbbp.exe

Filesize
223KB

MD5
503506554b1cfa84d2301e262beeb1f2

SHA1
7e6ce1ed06bd5962fdde1bebda495d9ecc9b72a9

SHA256
1e31a6de957adb7a23e155ef8e9f80e67dc763443053e0014fba9e91f4eebc6f

SHA512
bf0d9dd29b62a7ec306349a25e0eae234f060a00c81bb16bee04217c9254e66b5de6a9d0b908c8e3fca696b70350066a1e03d6cb0d9250456d005d58b23ddb01

Download Submit
C:\ProgramData\xpggw\wbteic.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\xpggw\wbteic.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\TEMP\wxlkwvk.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\niwlbbp.job

Filesize
254B

MD5
2b55f8155001973d08f4922e166679bd

SHA1
1a3e99597604cc36e9595671b4f1e9ba132c015d

SHA256
79f1c9d8970ddcf8ac132edcea64fa76cf632e64e4266f610bf19aff076707de

SHA512
c4f7192f13d9cc0eee5b18154593432e2fc1c12f4502c10e20f68aa26ca75f48076d2d3cdccd44c3f6f0a23b2570e20b39c8654ed1992002d326f1ee6b34b551

Download Submit
C:\Windows\Temp\wxlkwvk.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/628-133-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/628-132-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/628-131-0x00000000006F8000-0x0000000000701000-memory.dmp

Filesize
36KB

Download
memory/628-130-0x00000000006F8000-0x0000000000701000-memory.dmp

Filesize
36KB

Download
memory/940-141-0x00000000007E5000-0x00000000007EE000-memory.dmp

Filesize
36KB

Download
memory/940-144-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/940-143-0x00000000007E5000-0x00000000007EE000-memory.dmp

Filesize
36KB

Download
memory/1824-138-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1824-137-0x0000000000785000-0x000000000078E000-memory.dmp

Filesize
36KB

Download
memory/1824-136-0x0000000000785000-0x000000000078E000-memory.dmp

Filesize
36KB

Download
memory/5016-147-0x00000000007A5000-0x00000000007AE000-memory.dmp

Filesize
36KB

Download
memory/5016-148-0x00000000007A5000-0x00000000007AE000-memory.dmp

Filesize
36KB

Download
memory/5016-149-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads