systembc | b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9

General

Target

20e5ae4397a4ab132e7e8a5f316d08d3.exe
Size

231KB
MD5

20e5ae4397a4ab132e7e8a5f316d08d3
SHA1

f1a05d3426661dad12ea034ac9710c5842923df4
SHA256

b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9
SHA512

5b8e49bcf0a1e40f0cde13c6f160e4008d993087bd087f320fd46fcb48d304d890c3e1e5e64b518c5466ab5536cef11dd6c5e0ba30d802e9f0da1d34bd3026fb

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

jkptn.exexrexwox.exetjsk.exe

pid process

2560 jkptn.exe
388 xrexwox.exe
228 tjsk.exe

pid	process
2560	jkptn.exe
388	xrexwox.exe
228	tjsk.exe

Drops file in Windows directory 5 IoCs

Processes:

jkptn.exexrexwox.exe20e5ae4397a4ab132e7e8a5f316d08d3.exe

description	ioc	process
File created	C:\Windows\Tasks\sqhupenqlajmiugieqp.job	jkptn.exe
File created	C:\Windows\Tasks\tjsk.job	xrexwox.exe
File opened for modification	C:\Windows\Tasks\tjsk.job	xrexwox.exe
File created	C:\Windows\Tasks\jkptn.job	20e5ae4397a4ab132e7e8a5f316d08d3.exe
File opened for modification	C:\Windows\Tasks\jkptn.job	20e5ae4397a4ab132e7e8a5f316d08d3.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2484 1648 WerFault.exe 20e5ae4397a4ab132e7e8a5f316d08d3.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

20e5ae4397a4ab132e7e8a5f316d08d3.exexrexwox.exe

pid process

1648 20e5ae4397a4ab132e7e8a5f316d08d3.exe
1648 20e5ae4397a4ab132e7e8a5f316d08d3.exe
388 xrexwox.exe
388 xrexwox.exe

pid	pid_target	process	target process
2484	1648	WerFault.exe	20e5ae4397a4ab132e7e8a5f316d08d3.exe

pid	process
1648	20e5ae4397a4ab132e7e8a5f316d08d3.exe
1648	20e5ae4397a4ab132e7e8a5f316d08d3.exe
388	xrexwox.exe
388	xrexwox.exe

C:\Users\Admin\AppData\Local\Temp\20e5ae4397a4ab132e7e8a5f316d08d3.exe
"C:\Users\Admin\AppData\Local\Temp\20e5ae4397a4ab132e7e8a5f316d08d3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 484
  2⤵
  - Program crash
  PID:2484

C:\ProgramData\abxljh\jkptn.exe
C:\ProgramData\abxljh\jkptn.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1648 -ip 1648
1⤵
PID:2360

C:\Windows\TEMP\xrexwox.exe
C:\Windows\TEMP\xrexwox.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:388

C:\ProgramData\wuikj\tjsk.exe
C:\ProgramData\wuikj\tjsk.exe start
1⤵
- Executes dropped EXE
PID:228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\abxljh\jkptn.exe

Filesize
231KB

MD5
20e5ae4397a4ab132e7e8a5f316d08d3

SHA1
f1a05d3426661dad12ea034ac9710c5842923df4

SHA256
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9

SHA512
5b8e49bcf0a1e40f0cde13c6f160e4008d993087bd087f320fd46fcb48d304d890c3e1e5e64b518c5466ab5536cef11dd6c5e0ba30d802e9f0da1d34bd3026fb

Download Submit
C:\ProgramData\abxljh\jkptn.exe

Filesize
231KB

MD5
20e5ae4397a4ab132e7e8a5f316d08d3

SHA1
f1a05d3426661dad12ea034ac9710c5842923df4

SHA256
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9

SHA512
5b8e49bcf0a1e40f0cde13c6f160e4008d993087bd087f320fd46fcb48d304d890c3e1e5e64b518c5466ab5536cef11dd6c5e0ba30d802e9f0da1d34bd3026fb

Download Submit
C:\ProgramData\wuikj\tjsk.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\wuikj\tjsk.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\TEMP\xrexwox.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\jkptn.job

Filesize
248B

MD5
389d9f06810efd0b30570506eab6d95d

SHA1
55bdcfaf584757166afd55c5cfdb0b49499f855f

SHA256
a6784c72c41632d4326a96522cecac41e6e5eeab6fa5008b00bf7a052ff9b6bb

SHA512
218a981d6fc5738df7be63b62a883d1964dce7ba5d61d61aa167174ff07a6f13a1dff83824bd2654e2d660f50678e6838d036c05d7f246919ffe5e39ead96764

Download Submit
C:\Windows\Temp\xrexwox.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/228-149-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/228-148-0x0000000000490000-0x0000000000590000-memory.dmp

Filesize
1024KB

Download
memory/388-143-0x0000000000635000-0x000000000063E000-memory.dmp

Filesize
36KB

Download
memory/388-144-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/388-141-0x0000000000635000-0x000000000063E000-memory.dmp

Filesize
36KB

Download
memory/1648-130-0x000000000071C000-0x0000000000725000-memory.dmp

Filesize
36KB

Download
memory/1648-133-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1648-132-0x00000000005C0000-0x00000000005C9000-memory.dmp

Filesize
36KB

Download
memory/1648-131-0x000000000071C000-0x0000000000725000-memory.dmp

Filesize
36KB

Download
memory/2560-136-0x00000000007D9000-0x00000000007E2000-memory.dmp

Filesize
36KB

Download
memory/2560-138-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2560-137-0x00000000007D9000-0x00000000007E2000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads