systembc | 4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

General

Target

477079b5846088b1e126ae08735d36c1.exe
Size

227KB
MD5

477079b5846088b1e126ae08735d36c1
SHA1

8f26d9582fa44498f7a6abb17e45554ca115ab79
SHA256

4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24
SHA512

2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

iwors.exekdwq.exesqiqhxh.exe

pid process

528 iwors.exe
1200 kdwq.exe
988 sqiqhxh.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
7 api.ipify.org
8 api.ipify.org

pid	process
528	iwors.exe
1200	kdwq.exe
988	sqiqhxh.exe

flow	ioc
9	api.ipify.org
7	api.ipify.org
8	api.ipify.org

Drops file in Windows directory 5 IoCs

Processes:

iwors.exekdwq.exe477079b5846088b1e126ae08735d36c1.exe

description	ioc	process
File created	C:\Windows\Tasks\fshvnqomkedvtntjxjh.job	iwors.exe
File created	C:\Windows\Tasks\sqiqhxh.job	kdwq.exe
File opened for modification	C:\Windows\Tasks\sqiqhxh.job	kdwq.exe
File created	C:\Windows\Tasks\iwors.job	477079b5846088b1e126ae08735d36c1.exe
File opened for modification	C:\Windows\Tasks\iwors.job	477079b5846088b1e126ae08735d36c1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

477079b5846088b1e126ae08735d36c1.exekdwq.exe

pid process

1972 477079b5846088b1e126ae08735d36c1.exe
1200 kdwq.exe

pid	process
1972	477079b5846088b1e126ae08735d36c1.exe
1200	kdwq.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 588 wrote to memory of 528	588	taskeng.exe	iwors.exe
PID 588 wrote to memory of 528	588	taskeng.exe	iwors.exe
PID 588 wrote to memory of 528	588	taskeng.exe	iwors.exe
PID 588 wrote to memory of 528	588	taskeng.exe	iwors.exe
PID 588 wrote to memory of 1200	588	taskeng.exe	kdwq.exe
PID 588 wrote to memory of 1200	588	taskeng.exe	kdwq.exe
PID 588 wrote to memory of 1200	588	taskeng.exe	kdwq.exe
PID 588 wrote to memory of 1200	588	taskeng.exe	kdwq.exe
PID 588 wrote to memory of 988	588	taskeng.exe	sqiqhxh.exe
PID 588 wrote to memory of 988	588	taskeng.exe	sqiqhxh.exe
PID 588 wrote to memory of 988	588	taskeng.exe	sqiqhxh.exe
PID 588 wrote to memory of 988	588	taskeng.exe	sqiqhxh.exe

C:\Users\Admin\AppData\Local\Temp\477079b5846088b1e126ae08735d36c1.exe
"C:\Users\Admin\AppData\Local\Temp\477079b5846088b1e126ae08735d36c1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\system32\taskeng.exe
taskeng.exe {0C10CC04-5E2D-42FE-9B3A-291C4C2EE762} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\ProgramData\fxnuen\iwors.exe
C:\ProgramData\fxnuen\iwors.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:528

C:\Windows\TEMP\kdwq.exe
C:\Windows\TEMP\kdwq.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1200

C:\ProgramData\bqthc\sqiqhxh.exe
C:\ProgramData\bqthc\sqiqhxh.exe start
2⤵
- Executes dropped EXE
PID:988

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bqthc\sqiqhxh.exe
Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\bqthc\sqiqhxh.exe
Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\fxnuen\iwors.exe
Filesize
227KB

MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\ProgramData\fxnuen\iwors.exe
Filesize
227KB

MD5
477079b5846088b1e126ae08735d36c1

SHA1
8f26d9582fa44498f7a6abb17e45554ca115ab79

SHA256
4d62a012bd9a4700b2a0bc7143151eeaf12d1eb88bb8b02701902168cd42ce24

SHA512
2520257f0a333821d0f39f4db811b422c8cb1d48869a237c39d40fbcd3c49822e17d48d9c854daee807bae2b9b0c2487576e93ccdbff947e82d9cd537c3f58c7

Download Submit
C:\Windows\TEMP\kdwq.exe
Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\iwors.job
Filesize
230B

MD5
dec4fd36eb86c81f704d926b55ff1fa6

SHA1
a5e268f8a85edadf283ae43924b34a3af3127682

SHA256
a6caa0dedb874c741c59725e295dde17bb095ce51df9543abcb84ee5898b38b6

SHA512
6f692330472a7057996295faf0d9d4c6f4866f12e4fa4543c52703a05e53110201eec1c9f700d135c3bfe453b391610e584dce7a31933e04c5f885e378e92b9e

Download Submit
C:\Windows\Temp\kdwq.exe
Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/528-60-0x0000000000000000-mapping.dmp

Download
memory/528-62-0x000000000063E000-0x0000000000646000-memory.dmp

Filesize
32KB

Download
memory/528-65-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/528-64-0x000000000063E000-0x0000000000646000-memory.dmp

Filesize
32KB

Download
memory/528-66-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/988-76-0x0000000000000000-mapping.dmp

Download
memory/988-78-0x000000000051E000-0x0000000000526000-memory.dmp

Filesize
32KB

Download
memory/988-80-0x000000000051E000-0x0000000000526000-memory.dmp

Filesize
32KB

Download
memory/988-81-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1200-68-0x0000000000000000-mapping.dmp

Download
memory/1200-70-0x000000000052E000-0x0000000000536000-memory.dmp

Filesize
32KB

Download
memory/1200-73-0x000000000052E000-0x0000000000536000-memory.dmp

Filesize
32KB

Download
memory/1200-74-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1972-54-0x000000000030E000-0x0000000000316000-memory.dmp

Filesize
32KB

Download
memory/1972-57-0x0000000076BC1000-0x0000000076BC3000-memory.dmp

Filesize
8KB

Download
memory/1972-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1972-58-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1972-55-0x000000000030E000-0x0000000000316000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing