systembc | b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9

General

Target

20e5ae4397a4ab132e7e8a5f316d08d3.exe
Size

231KB
MD5

20e5ae4397a4ab132e7e8a5f316d08d3
SHA1

f1a05d3426661dad12ea034ac9710c5842923df4
SHA256

b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9
SHA512

5b8e49bcf0a1e40f0cde13c6f160e4008d993087bd087f320fd46fcb48d304d890c3e1e5e64b518c5466ab5536cef11dd6c5e0ba30d802e9f0da1d34bd3026fb

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

owxs.exersjx.exewctqmkw.exe

pid process

1776 owxs.exe
1612 rsjx.exe
1680 wctqmkw.exe

pid	process
1776	owxs.exe
1612	rsjx.exe
1680	wctqmkw.exe

Drops file in Windows directory 5 IoCs

Processes:

rsjx.exe20e5ae4397a4ab132e7e8a5f316d08d3.exeowxs.exe

description	ioc	process
File created	C:\Windows\Tasks\wctqmkw.job	rsjx.exe
File opened for modification	C:\Windows\Tasks\wctqmkw.job	rsjx.exe
File created	C:\Windows\Tasks\owxs.job	20e5ae4397a4ab132e7e8a5f316d08d3.exe
File opened for modification	C:\Windows\Tasks\owxs.job	20e5ae4397a4ab132e7e8a5f316d08d3.exe
File created	C:\Windows\Tasks\fdohwciqseuhvjltbbl.job	owxs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

20e5ae4397a4ab132e7e8a5f316d08d3.exersjx.exe

pid process

1632 20e5ae4397a4ab132e7e8a5f316d08d3.exe
1612 rsjx.exe

pid	process
1632	20e5ae4397a4ab132e7e8a5f316d08d3.exe
1612	rsjx.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 792 wrote to memory of 1776	792	taskeng.exe	owxs.exe
PID 792 wrote to memory of 1776	792	taskeng.exe	owxs.exe
PID 792 wrote to memory of 1776	792	taskeng.exe	owxs.exe
PID 792 wrote to memory of 1776	792	taskeng.exe	owxs.exe
PID 792 wrote to memory of 1612	792	taskeng.exe	rsjx.exe
PID 792 wrote to memory of 1612	792	taskeng.exe	rsjx.exe
PID 792 wrote to memory of 1612	792	taskeng.exe	rsjx.exe
PID 792 wrote to memory of 1612	792	taskeng.exe	rsjx.exe
PID 792 wrote to memory of 1680	792	taskeng.exe	wctqmkw.exe
PID 792 wrote to memory of 1680	792	taskeng.exe	wctqmkw.exe
PID 792 wrote to memory of 1680	792	taskeng.exe	wctqmkw.exe
PID 792 wrote to memory of 1680	792	taskeng.exe	wctqmkw.exe

C:\Users\Admin\AppData\Local\Temp\20e5ae4397a4ab132e7e8a5f316d08d3.exe
"C:\Users\Admin\AppData\Local\Temp\20e5ae4397a4ab132e7e8a5f316d08d3.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Windows\system32\taskeng.exe
taskeng.exe {32D602BF-40F8-43B2-B7E5-C6B67B361905} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:792
- C:\ProgramData\jemae\owxs.exe
  C:\ProgramData\jemae\owxs.exe start
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1776
- C:\Windows\TEMP\rsjx.exe
  C:\Windows\TEMP\rsjx.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\ProgramData\arsae\wctqmkw.exe
  C:\ProgramData\arsae\wctqmkw.exe start
  2⤵
  - Executes dropped EXE
  PID:1680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\arsae\wctqmkw.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\arsae\wctqmkw.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\ProgramData\jemae\owxs.exe

Filesize
231KB

MD5
20e5ae4397a4ab132e7e8a5f316d08d3

SHA1
f1a05d3426661dad12ea034ac9710c5842923df4

SHA256
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9

SHA512
5b8e49bcf0a1e40f0cde13c6f160e4008d993087bd087f320fd46fcb48d304d890c3e1e5e64b518c5466ab5536cef11dd6c5e0ba30d802e9f0da1d34bd3026fb

Download Submit
C:\ProgramData\jemae\owxs.exe

Filesize
231KB

MD5
20e5ae4397a4ab132e7e8a5f316d08d3

SHA1
f1a05d3426661dad12ea034ac9710c5842923df4

SHA256
b4286bce9138f9c8fff9f8fc2eb4dcda9d48af83c62cf5ea03de48f862b301d9

SHA512
5b8e49bcf0a1e40f0cde13c6f160e4008d993087bd087f320fd46fcb48d304d890c3e1e5e64b518c5466ab5536cef11dd6c5e0ba30d802e9f0da1d34bd3026fb

Download Submit
C:\Windows\TEMP\rsjx.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
C:\Windows\Tasks\owxs.job

Filesize
226B

MD5
d72229c978a5b7af90293a923b6abd3c

SHA1
3c948635d9f65edd952a205103b5ff82fe58545a

SHA256
8d15cc532919d3919bede32bbdd213fd6b67ac888b7f6844afa2684dde94345e

SHA512
84305c03fb68f3e6cf1f929b1471e6376e922713ff6cec04b4b62f7f43be9bf72f9be469caf958e42ee747f518dc5c96c83f80db70bf13fd470e3625584f17aa

Download Submit
C:\Windows\Temp\rsjx.exe

Filesize
272KB

MD5
71ebd9fd8ea9fc4e67e52546cb45b35a

SHA1
4ce5c776e627a8b13c81b99bcf6cb4bcd7f8369a

SHA256
91e432fb78409fd8fbdbc8783b3e53b0352b207c88519c8550d72237785334b6

SHA512
5ad93d5047f68e349306d8361de4fcbc1e3694ee148c08877c5ead40d3814443ea168f715f256365fc6c73ab61aec59bd5329964d2083bf9c0a46d83e89924ff

Download Submit
memory/1612-67-0x0000000000000000-mapping.dmp

Download
memory/1612-69-0x000000000058E000-0x0000000000596000-memory.dmp

Filesize
32KB

Download
memory/1612-73-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1612-72-0x000000000058E000-0x0000000000596000-memory.dmp

Filesize
32KB

Download
memory/1632-54-0x000000000062E000-0x0000000000637000-memory.dmp

Filesize
36KB

Download
memory/1632-58-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1632-56-0x000000000062E000-0x0000000000637000-memory.dmp

Filesize
36KB

Download
memory/1632-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1632-55-0x0000000076141000-0x0000000076143000-memory.dmp

Filesize
8KB

Download
memory/1680-75-0x0000000000000000-mapping.dmp

Download
memory/1680-77-0x000000000056E000-0x0000000000576000-memory.dmp

Filesize
32KB

Download
memory/1680-79-0x000000000056E000-0x0000000000576000-memory.dmp

Filesize
32KB

Download
memory/1680-80-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/1776-62-0x00000000005DE000-0x00000000005E7000-memory.dmp

Filesize
36KB

Download
memory/1776-60-0x0000000000000000-mapping.dmp

Download
memory/1776-65-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1776-64-0x00000000005DE000-0x00000000005E7000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing