systembc | aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

General

Target

aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe
Size

272KB
MD5

1522b2e0a8415d9657cdd935c27d0e82
SHA1

5fc47229d4bcaca7f1b3312421c4ddb1b9633510
SHA256

aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a
SHA512

aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

wnkdim.exewclgi.exegqenwge.exe

pid process

3004 wnkdim.exe
4048 wclgi.exe
3892 gqenwge.exe

pid	process
3004	wnkdim.exe
4048	wclgi.exe
3892	gqenwge.exe

Drops file in Windows directory 5 IoCs

Processes:

aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exewnkdim.exewclgi.exe

description	ioc	process
File created	C:\Windows\Tasks\wnkdim.job	aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe
File opened for modification	C:\Windows\Tasks\wnkdim.job	aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe
File created	C:\Windows\Tasks\lvngctiekrahrqipkag.job	wnkdim.exe
File created	C:\Windows\Tasks\gqenwge.job	wclgi.exe
File opened for modification	C:\Windows\Tasks\gqenwge.job	wclgi.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exewclgi.exe

pid	process
3608	aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe
3608	aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe
4048	wclgi.exe
4048	wclgi.exe

C:\Users\Admin\AppData\Local\Temp\aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe
"C:\Users\Admin\AppData\Local\Temp\aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3608

C:\ProgramData\aquq\wnkdim.exe
C:\ProgramData\aquq\wnkdim.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3004

C:\Windows\TEMP\wclgi.exe
C:\Windows\TEMP\wclgi.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4048

C:\ProgramData\muthtx\gqenwge.exe
C:\ProgramData\muthtx\gqenwge.exe start
1⤵
- Executes dropped EXE
PID:3892

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\aquq\wnkdim.exe
Filesize
272KB

MD5
1522b2e0a8415d9657cdd935c27d0e82

SHA1
5fc47229d4bcaca7f1b3312421c4ddb1b9633510

SHA256
aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

SHA512
aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Download Submit
C:\ProgramData\aquq\wnkdim.exe
Filesize
272KB

MD5
1522b2e0a8415d9657cdd935c27d0e82

SHA1
5fc47229d4bcaca7f1b3312421c4ddb1b9633510

SHA256
aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

SHA512
aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Download Submit
C:\ProgramData\muthtx\gqenwge.exe
Filesize
272KB

MD5
1522b2e0a8415d9657cdd935c27d0e82

SHA1
5fc47229d4bcaca7f1b3312421c4ddb1b9633510

SHA256
aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

SHA512
aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Download Submit
C:\ProgramData\muthtx\gqenwge.exe
Filesize
272KB

MD5
1522b2e0a8415d9657cdd935c27d0e82

SHA1
5fc47229d4bcaca7f1b3312421c4ddb1b9633510

SHA256
aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

SHA512
aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Download Submit
C:\Windows\TEMP\wclgi.exe
Filesize
272KB

MD5
1522b2e0a8415d9657cdd935c27d0e82

SHA1
5fc47229d4bcaca7f1b3312421c4ddb1b9633510

SHA256
aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

SHA512
aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Download Submit
C:\Windows\Tasks\wnkdim.job
Filesize
246B

MD5
4c22f3cca5e151b3c5e499a1dfdee1ce

SHA1
8c7f8ecc775ff1c9428eea5fbe3f34208cdc75d1

SHA256
7aedd6f8d3fcb5630bb6901a0b9355abfece9f10fd63a1d6a0eeb71b08fc9271

SHA512
66f47d85ff0b178f7cf31440c91a7f31fb766f562e1e0fb0e0bfcb9c9a833e4efa564cf90c17d7293ca186542cdf0554fa75a35230eb5ea02f723919d8705a9c

Download Submit
C:\Windows\Temp\wclgi.exe
Filesize
272KB

MD5
1522b2e0a8415d9657cdd935c27d0e82

SHA1
5fc47229d4bcaca7f1b3312421c4ddb1b9633510

SHA256
aee8c9d8bee893599514f2a251f54f240968d53296ffdc64f6131f74ee9cf33a

SHA512
aea39bc085a5b533e5beed3ee017203b1243a88eafc18963b093780aa4e3a19741a11aa4c9dd53f6dca85ff2d912bfc52e78d26da0fda2af027a9c4eedd21453

Download Submit
memory/3004-123-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3004-120-0x0000000000712000-0x000000000071B000-memory.dmp

Filesize
36KB

Download
memory/3004-122-0x0000000000490000-0x00000000005DA000-memory.dmp

Filesize
1.3MB

Download
memory/3004-121-0x0000000000712000-0x000000000071B000-memory.dmp

Filesize
36KB

Download
memory/3608-115-0x0000000000500000-0x000000000064A000-memory.dmp

Filesize
1.3MB

Download
memory/3608-117-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/3608-116-0x00000000004E0000-0x00000000004E9000-memory.dmp

Filesize
36KB

Download
memory/3892-132-0x00000000006D2000-0x00000000006DB000-memory.dmp

Filesize
36KB

Download
memory/3892-133-0x00000000006D2000-0x00000000006DB000-memory.dmp

Filesize
36KB

Download
memory/3892-134-0x00000000004F0000-0x000000000063A000-memory.dmp

Filesize
1.3MB

Download
memory/3892-135-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download
memory/4048-128-0x00000000004E0000-0x000000000062A000-memory.dmp

Filesize
1.3MB

Download
memory/4048-129-0x0000000000400000-0x0000000000487000-memory.dmp

Filesize
540KB

Download

Analysis

Sharing