systembc | cbde76dfb68797accd9d4c909569bd925cca6bb5faaea32ee253bcac5494cb2e

General

Target

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
Size

253KB
MD5

5366cfb7213ba42e13f5a07ba83a6353
SHA1

958421f6fe7a2928578157c36b366578bc4e1b18
SHA256

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96
SHA512

c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ewmlo.exe

pid process

1312 ewmlo.exe

pid	process
1312	ewmlo.exe

Drops file in Windows directory 2 IoCs

Processes:

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

description	ioc	process
File created	C:\Windows\Tasks\ewmlo.job	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
File opened for modification	C:\Windows\Tasks\ewmlo.job	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

pid process

588 0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

pid	process
588	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2016 wrote to memory of 1312	2016	taskeng.exe	ewmlo.exe
PID 2016 wrote to memory of 1312	2016	taskeng.exe	ewmlo.exe
PID 2016 wrote to memory of 1312	2016	taskeng.exe	ewmlo.exe
PID 2016 wrote to memory of 1312	2016	taskeng.exe	ewmlo.exe

C:\Users\Admin\AppData\Local\Temp\0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
"C:\Users\Admin\AppData\Local\Temp\0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Windows\system32\taskeng.exe
taskeng.exe {BC1F736D-6D92-4395-9F1C-6785346A1804} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2016
- C:\ProgramData\cskjxfl\ewmlo.exe
  C:\ProgramData\cskjxfl\ewmlo.exe start
  2⤵
  - Executes dropped EXE
  PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cskjxfl\ewmlo.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\cskjxfl\ewmlo.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
memory/588-54-0x000000000050B000-0x000000000051C000-memory.dmp

Filesize
68KB

Download
memory/588-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/588-56-0x000000000050B000-0x000000000051C000-memory.dmp

Filesize
68KB

Download
memory/588-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/588-58-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1312-60-0x0000000000000000-mapping.dmp

Download
memory/1312-62-0x000000000058B000-0x000000000059C000-memory.dmp

Filesize
68KB

Download
memory/1312-64-0x000000000058B000-0x000000000059C000-memory.dmp

Filesize
68KB

Download
memory/1312-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing