systembc | ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

General

Target

ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe
Size

252KB
MD5

61a1f58f5cbd7f4ca0bbd4d60435a376
SHA1

ce00e1a8efae69ba71cee648ad5a6a26ed51a43f
SHA256

ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97
SHA512

ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Score

10^/10

systembc suricata trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata: ET MALWARE Win32/SystemBC CnC Checkin
suricata
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

peuxxk.exeebub.exetkogetr.exe

pid process

4172 peuxxk.exe
2988 ebub.exe
4596 tkogetr.exe

pid	process
4172	peuxxk.exe
2988	ebub.exe
4596	tkogetr.exe

Drops file in Windows directory 5 IoCs

Processes:

ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exepeuxxk.exeebub.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\peuxxk.job	ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe
File created	C:\Windows\Tasks\iwlliumaqjvnfwkcslx.job	peuxxk.exe
File created	C:\Windows\Tasks\tkogetr.job	ebub.exe
File opened for modification	C:\Windows\Tasks\tkogetr.job	ebub.exe
File created	C:\Windows\Tasks\peuxxk.job	ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1784 3592 WerFault.exe ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe

pid	pid_target	process	target process
1784	3592	WerFault.exe	ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exeebub.exe

pid	process
3592	ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe
3592	ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe
2988	ebub.exe
2988	ebub.exe

C:\Users\Admin\AppData\Local\Temp\ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe
"C:\Users\Admin\AppData\Local\Temp\ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:3592
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3592 -s 948
  2⤵
  - Program crash
  PID:1784

C:\ProgramData\fdkn\peuxxk.exe
C:\ProgramData\fdkn\peuxxk.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3592 -ip 3592
1⤵
PID:5072

C:\Windows\TEMP\ebub.exe
C:\Windows\TEMP\ebub.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2988

C:\ProgramData\wvsn\tkogetr.exe
C:\ProgramData\wvsn\tkogetr.exe start
1⤵
- Executes dropped EXE
PID:4596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fdkn\peuxxk.exe

Filesize
252KB

MD5
61a1f58f5cbd7f4ca0bbd4d60435a376

SHA1
ce00e1a8efae69ba71cee648ad5a6a26ed51a43f

SHA256
ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

SHA512
ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Download Submit
C:\ProgramData\fdkn\peuxxk.exe

Filesize
252KB

MD5
61a1f58f5cbd7f4ca0bbd4d60435a376

SHA1
ce00e1a8efae69ba71cee648ad5a6a26ed51a43f

SHA256
ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

SHA512
ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Download Submit
C:\ProgramData\wvsn\tkogetr.exe

Filesize
252KB

MD5
61a1f58f5cbd7f4ca0bbd4d60435a376

SHA1
ce00e1a8efae69ba71cee648ad5a6a26ed51a43f

SHA256
ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

SHA512
ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Download Submit
C:\ProgramData\wvsn\tkogetr.exe

Filesize
252KB

MD5
61a1f58f5cbd7f4ca0bbd4d60435a376

SHA1
ce00e1a8efae69ba71cee648ad5a6a26ed51a43f

SHA256
ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

SHA512
ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Download Submit
C:\Windows\TEMP\ebub.exe

Filesize
252KB

MD5
61a1f58f5cbd7f4ca0bbd4d60435a376

SHA1
ce00e1a8efae69ba71cee648ad5a6a26ed51a43f

SHA256
ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

SHA512
ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Download Submit
C:\Windows\Tasks\peuxxk.job

Filesize
246B

MD5
392a3fecada61c7823e44cb44c8da5fd

SHA1
681fa7b51ff5c52c5fecbb1f24c95e6470887cc4

SHA256
b44a5681903503f176914b14ae4c5356c1cad98e2faec18f3478fe907ac7bf9a

SHA512
962e24b296474409e9d1845b4b68b092e66c2dc3cedc53731d64613107f9031b612eb5bdaee41a5ee41d64cd6727860761eeb4342f1f725d5e9066c2b4df8162

Download Submit
C:\Windows\Temp\ebub.exe

Filesize
252KB

MD5
61a1f58f5cbd7f4ca0bbd4d60435a376

SHA1
ce00e1a8efae69ba71cee648ad5a6a26ed51a43f

SHA256
ed0acb83931bb187cd2f499b5bb3cdfae3530319ad51c968e57b3506a885ba97

SHA512
ebff9997e9a9f9916b9ce67725e428abe4eb6f6bc6b866b84f8b53954c9dd94393c5e84a930371b40d4ca7fd1fc1e6a04d242bf45be670de46e22760af29b447

Download Submit
memory/2988-144-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2988-143-0x00000000005DB000-0x00000000005EB000-memory.dmp

Filesize
64KB

Download
memory/2988-141-0x00000000005DB000-0x00000000005EB000-memory.dmp

Filesize
64KB

Download
memory/3592-130-0x0000000000628000-0x0000000000639000-memory.dmp

Filesize
68KB

Download
memory/3592-131-0x0000000000628000-0x0000000000639000-memory.dmp

Filesize
68KB

Download
memory/3592-133-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3592-132-0x0000000000600000-0x0000000000609000-memory.dmp

Filesize
36KB

Download
memory/4172-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/4172-137-0x0000000000543000-0x0000000000553000-memory.dmp

Filesize
64KB

Download
memory/4172-136-0x0000000000543000-0x0000000000553000-memory.dmp

Filesize
64KB

Download
memory/4596-147-0x0000000000853000-0x0000000000863000-memory.dmp

Filesize
64KB

Download
memory/4596-148-0x0000000000853000-0x0000000000863000-memory.dmp

Filesize
64KB

Download
memory/4596-149-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing