systembc | 64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

General

Target

142939679afaeaf6cf66d3b80ea7d63e.exe
Size

255KB
MD5

142939679afaeaf6cf66d3b80ea7d63e
SHA1

149465fd8b48f262bcf361047bb8035b5b1f33a2
SHA256

64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f
SHA512

bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

bbhmm.exepkinse.exegfffn.exe

pid process

768 bbhmm.exe
1200 pkinse.exe
1636 gfffn.exe

pid	process
768	bbhmm.exe
1200	pkinse.exe
1636	gfffn.exe

Drops file in Windows directory 5 IoCs

Processes:

bbhmm.exepkinse.exe142939679afaeaf6cf66d3b80ea7d63e.exe

description	ioc	process
File created	C:\Windows\Tasks\qtuxqslevxbsuwactwa.job	bbhmm.exe
File created	C:\Windows\Tasks\gfffn.job	pkinse.exe
File opened for modification	C:\Windows\Tasks\gfffn.job	pkinse.exe
File created	C:\Windows\Tasks\bbhmm.job	142939679afaeaf6cf66d3b80ea7d63e.exe
File opened for modification	C:\Windows\Tasks\bbhmm.job	142939679afaeaf6cf66d3b80ea7d63e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

142939679afaeaf6cf66d3b80ea7d63e.exepkinse.exe

pid process

1940 142939679afaeaf6cf66d3b80ea7d63e.exe
1200 pkinse.exe

pid	process
1940	142939679afaeaf6cf66d3b80ea7d63e.exe
1200	pkinse.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 520 wrote to memory of 768	520	taskeng.exe	bbhmm.exe
PID 520 wrote to memory of 768	520	taskeng.exe	bbhmm.exe
PID 520 wrote to memory of 768	520	taskeng.exe	bbhmm.exe
PID 520 wrote to memory of 768	520	taskeng.exe	bbhmm.exe
PID 520 wrote to memory of 1200	520	taskeng.exe	pkinse.exe
PID 520 wrote to memory of 1200	520	taskeng.exe	pkinse.exe
PID 520 wrote to memory of 1200	520	taskeng.exe	pkinse.exe
PID 520 wrote to memory of 1200	520	taskeng.exe	pkinse.exe
PID 520 wrote to memory of 1636	520	taskeng.exe	gfffn.exe
PID 520 wrote to memory of 1636	520	taskeng.exe	gfffn.exe
PID 520 wrote to memory of 1636	520	taskeng.exe	gfffn.exe
PID 520 wrote to memory of 1636	520	taskeng.exe	gfffn.exe

C:\Users\Admin\AppData\Local\Temp\142939679afaeaf6cf66d3b80ea7d63e.exe
"C:\Users\Admin\AppData\Local\Temp\142939679afaeaf6cf66d3b80ea7d63e.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Windows\system32\taskeng.exe
taskeng.exe {7357C892-BAF1-4B95-9B91-3BDA789CAB00} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:520
- C:\ProgramData\reetf\bbhmm.exe
  C:\ProgramData\reetf\bbhmm.exe start
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:768
- C:\Windows\TEMP\pkinse.exe
  C:\Windows\TEMP\pkinse.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\ProgramData\xkmmo\gfffn.exe
  C:\ProgramData\xkmmo\gfffn.exe start
  2⤵
  - Executes dropped EXE
  PID:1636

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\reetf\bbhmm.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\ProgramData\reetf\bbhmm.exe

Filesize
255KB

MD5
142939679afaeaf6cf66d3b80ea7d63e

SHA1
149465fd8b48f262bcf361047bb8035b5b1f33a2

SHA256
64efd694a2e536ed7265fb46da5198788d895a9b7b9c2434404209b61c143a5f

SHA512
bed423909f581415e80bf44960c5415f2527eee02cfd39b6201c1d67831be1dbefe27d58b27e4118cfddbeee42251596fa1f6e8912d6b22143dd75cf455561b8

Download Submit
C:\ProgramData\xkmmo\gfffn.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\xkmmo\gfffn.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\Windows\TEMP\pkinse.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\Windows\Tasks\bbhmm.job

Filesize
228B

MD5
1b41940e92ae6c4e56318b3a77047b81

SHA1
3c6f8362f270c9806cf0905d7ecb13a083558994

SHA256
afd9e8e5f2c487f6efe92b1e3e549b63b4193237deaabafb9ff805a55fd75c19

SHA512
baa0f7715b5303d8d83e518a1e2f5c9e2a3e17f5f097e07053e3b6c305cd4956042545bb353ecf2b976021965c4fb9ab912768c3e397777fe34b71fc05923173

Download Submit
C:\Windows\Temp\pkinse.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
memory/768-60-0x0000000000000000-mapping.dmp

Download
memory/768-62-0x000000000064E000-0x0000000000657000-memory.dmp

Filesize
36KB

Download
memory/768-64-0x000000000064E000-0x0000000000657000-memory.dmp

Filesize
36KB

Download
memory/768-65-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1200-72-0x000000000028B000-0x000000000029C000-memory.dmp

Filesize
68KB

Download
memory/1200-67-0x0000000000000000-mapping.dmp

Download
memory/1200-69-0x000000000028B000-0x000000000029C000-memory.dmp

Filesize
68KB

Download
memory/1200-73-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1636-75-0x0000000000000000-mapping.dmp

Download
memory/1636-77-0x000000000065B000-0x000000000066C000-memory.dmp

Filesize
68KB

Download
memory/1636-79-0x000000000065B000-0x000000000066C000-memory.dmp

Filesize
68KB

Download
memory/1636-80-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1940-58-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1940-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1940-54-0x000000000056E000-0x0000000000577000-memory.dmp

Filesize
36KB

Download
memory/1940-56-0x000000000056E000-0x0000000000577000-memory.dmp

Filesize
36KB

Download
memory/1940-55-0x0000000076BC1000-0x0000000076BC3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing