systembc | cbde76dfb68797accd9d4c909569bd925cca6bb5faaea32ee253bcac5494cb2e

General

Target

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
Size

253KB
MD5

5366cfb7213ba42e13f5a07ba83a6353
SHA1

958421f6fe7a2928578157c36b366578bc4e1b18
SHA256

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96
SHA512

c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

kpskidw.exelcqh.exeojufjh.exe

pid process

1376 kpskidw.exe
2824 lcqh.exe
3512 ojufjh.exe

pid	process
1376	kpskidw.exe
2824	lcqh.exe
3512	ojufjh.exe

Drops file in Windows directory 5 IoCs

Processes:

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exekpskidw.exelcqh.exe

description	ioc	process
File created	C:\Windows\Tasks\kpskidw.job	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
File opened for modification	C:\Windows\Tasks\kpskidw.job	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
File created	C:\Windows\Tasks\acpjjevpixriarketmc.job	kpskidw.exe
File created	C:\Windows\Tasks\ojufjh.job	lcqh.exe
File opened for modification	C:\Windows\Tasks\ojufjh.job	lcqh.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1676 5116 WerFault.exe 0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

pid	pid_target	process	target process
1676	5116	WerFault.exe	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exelcqh.exe

pid	process
5116	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
5116	0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
2824	lcqh.exe
2824	lcqh.exe

C:\Users\Admin\AppData\Local\Temp\0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe
"C:\Users\Admin\AppData\Local\Temp\0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5116
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5116 -s 484
  2⤵
  - Program crash
  PID:1676

C:\ProgramData\olouw\kpskidw.exe
C:\ProgramData\olouw\kpskidw.exe start
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5116 -ip 5116
1⤵
PID:3232

C:\Windows\TEMP\lcqh.exe
C:\Windows\TEMP\lcqh.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\ProgramData\nrdpion\ojufjh.exe
C:\ProgramData\nrdpion\ojufjh.exe start
1⤵
- Executes dropped EXE
PID:3512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nrdpion\ojufjh.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\nrdpion\ojufjh.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\olouw\kpskidw.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\olouw\kpskidw.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\Windows\TEMP\lcqh.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\Windows\Tasks\kpskidw.job

Filesize
250B

MD5
be724fcf1e2e25dd9f0c08e930b5e266

SHA1
5e9a3802937d2c3a945715be8955b876deda56bc

SHA256
a607db028f94744b39eb6198caaed22d4e4ad3383e93f08f7b255e1ef0a00828

SHA512
616c8e742dd21676d92c9615a1ccbf1f7050bb06ec84aa1cc7ab6e82fc7f86e3cb26d4449b8eabc6dc833d1bef6d20c9141524fb307259ce41366fae1f9ef559

Download Submit
C:\Windows\Temp\lcqh.exe

Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
memory/1376-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1376-137-0x00000000004A2000-0x00000000004B3000-memory.dmp

Filesize
68KB

Download
memory/1376-136-0x00000000004A2000-0x00000000004B3000-memory.dmp

Filesize
68KB

Download
memory/2824-141-0x00000000004C3000-0x00000000004D3000-memory.dmp

Filesize
64KB

Download
memory/2824-143-0x00000000004C3000-0x00000000004D3000-memory.dmp

Filesize
64KB

Download
memory/2824-144-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/3512-147-0x00000000005E3000-0x00000000005F3000-memory.dmp

Filesize
64KB

Download
memory/3512-148-0x00000000005E3000-0x00000000005F3000-memory.dmp

Filesize
64KB

Download
memory/3512-149-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5116-133-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/5116-130-0x00000000004F8000-0x0000000000509000-memory.dmp

Filesize
68KB

Download
memory/5116-132-0x00000000004B0000-0x00000000004B9000-memory.dmp

Filesize
36KB

Download
memory/5116-131-0x00000000004F8000-0x0000000000509000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing