systembc | ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

General

Target

ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe
Size

252KB
MD5

f9adf82323820ff0466e38db24769eb1
SHA1

b8e9af14c5546bf2a944f1a803cce1b725b67e57
SHA256

ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda
SHA512

1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

wwcne.exeauddixx.exesidh.exe

pid process

3900 wwcne.exe
1380 auddixx.exe
3792 sidh.exe

pid	process
3900	wwcne.exe
1380	auddixx.exe
3792	sidh.exe

Drops file in Windows directory 5 IoCs

Processes:

auddixx.execcf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exewwcne.exe

description	ioc	process
File created	C:\Windows\Tasks\sidh.job	auddixx.exe
File opened for modification	C:\Windows\Tasks\sidh.job	auddixx.exe
File created	C:\Windows\Tasks\wwcne.job	ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe
File opened for modification	C:\Windows\Tasks\wwcne.job	ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe
File created	C:\Windows\Tasks\cvrecrggttiigvkkxxm.job	wwcne.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exeauddixx.exe

pid	process
4012	ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe
4012	ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe
1380	auddixx.exe
1380	auddixx.exe

C:\Users\Admin\AppData\Local\Temp\ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe
"C:\Users\Admin\AppData\Local\Temp\ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4012

C:\ProgramData\nrtfpvh\wwcne.exe
C:\ProgramData\nrtfpvh\wwcne.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3900

C:\Windows\TEMP\auddixx.exe
C:\Windows\TEMP\auddixx.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1380

C:\ProgramData\cxplvql\sidh.exe
C:\ProgramData\cxplvql\sidh.exe start
1⤵
- Executes dropped EXE
PID:3792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cxplvql\sidh.exe

Filesize
252KB

MD5
f9adf82323820ff0466e38db24769eb1

SHA1
b8e9af14c5546bf2a944f1a803cce1b725b67e57

SHA256
ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

SHA512
1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Download Submit
C:\ProgramData\cxplvql\sidh.exe

Filesize
252KB

MD5
f9adf82323820ff0466e38db24769eb1

SHA1
b8e9af14c5546bf2a944f1a803cce1b725b67e57

SHA256
ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

SHA512
1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Download Submit
C:\ProgramData\nrtfpvh\wwcne.exe

Filesize
252KB

MD5
f9adf82323820ff0466e38db24769eb1

SHA1
b8e9af14c5546bf2a944f1a803cce1b725b67e57

SHA256
ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

SHA512
1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Download Submit
C:\ProgramData\nrtfpvh\wwcne.exe

Filesize
252KB

MD5
f9adf82323820ff0466e38db24769eb1

SHA1
b8e9af14c5546bf2a944f1a803cce1b725b67e57

SHA256
ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

SHA512
1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Download Submit
C:\Windows\TEMP\auddixx.exe

Filesize
252KB

MD5
f9adf82323820ff0466e38db24769eb1

SHA1
b8e9af14c5546bf2a944f1a803cce1b725b67e57

SHA256
ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

SHA512
1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Download Submit
C:\Windows\Tasks\wwcne.job

Filesize
250B

MD5
56a16ca00f238beefbf8f1cd9e6b3e9f

SHA1
76ecfc77418bdc9a1c9909a79fb7a9f015336ab2

SHA256
77974c3ced3da67a03f1bb0ea3bc01362a3dfb65b281b8bbd2bdfa65e1ff43bd

SHA512
32e4beddde3a6d9e5f644191e9b42ba6555ffb66ab0997d559537236dd7daa98733afca43f9db3d8d511758f4643a20fe4e71be6d65ead1a6193a63628d54099

Download Submit
C:\Windows\Temp\auddixx.exe

Filesize
252KB

MD5
f9adf82323820ff0466e38db24769eb1

SHA1
b8e9af14c5546bf2a944f1a803cce1b725b67e57

SHA256
ccf5024d721389d85047dde2144af0ca66cef5d3e1d2dc92f0481cba06566eda

SHA512
1be76d81e8af31b4acfda7e5342798301ab0f086a760ed04b491fad253c342a57468f1470d163072300878a83aa415640477620d7de737c761637ab6cda547eb

Download Submit
memory/1380-126-0x00000000007C1000-0x00000000007D1000-memory.dmp

Filesize
64KB

Download
memory/1380-128-0x00000000007C1000-0x00000000007D1000-memory.dmp

Filesize
64KB

Download
memory/1380-129-0x0000000000470000-0x00000000005BA000-memory.dmp

Filesize
1.3MB

Download
memory/1380-130-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3792-134-0x00000000004F0000-0x000000000059E000-memory.dmp

Filesize
696KB

Download
memory/3792-135-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3900-122-0x0000000000470000-0x000000000051E000-memory.dmp

Filesize
696KB

Download
memory/3900-123-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3900-121-0x0000000000691000-0x00000000006A1000-memory.dmp

Filesize
64KB

Download
memory/3900-120-0x0000000000691000-0x00000000006A1000-memory.dmp

Filesize
64KB

Download
memory/4012-114-0x00000000006E6000-0x00000000006F6000-memory.dmp

Filesize
64KB

Download
memory/4012-115-0x00000000006E6000-0x00000000006F6000-memory.dmp

Filesize
64KB

Download
memory/4012-116-0x00000000004C0000-0x00000000004C9000-memory.dmp

Filesize
36KB

Download
memory/4012-117-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing