systembc | 0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

General

Target

5366cfb7213ba42e13f5a07ba83a6353.exe
Size

253KB
MD5

5366cfb7213ba42e13f5a07ba83a6353
SHA1

958421f6fe7a2928578157c36b366578bc4e1b18
SHA256

0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96
SHA512

c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

31.44.185.6:4001

31.44.185.11:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

nfmfg.exemgowgtd.exefrbnnop.exe

pid process

1104 nfmfg.exe
548 mgowgtd.exe
296 frbnnop.exe

pid	process
1104	nfmfg.exe
548	mgowgtd.exe
296	frbnnop.exe

Drops file in Windows directory 5 IoCs

Processes:

mgowgtd.exe5366cfb7213ba42e13f5a07ba83a6353.exenfmfg.exe

description	ioc	process
File created	C:\Windows\Tasks\frbnnop.job	mgowgtd.exe
File opened for modification	C:\Windows\Tasks\frbnnop.job	mgowgtd.exe
File created	C:\Windows\Tasks\nfmfg.job	5366cfb7213ba42e13f5a07ba83a6353.exe
File opened for modification	C:\Windows\Tasks\nfmfg.job	5366cfb7213ba42e13f5a07ba83a6353.exe
File created	C:\Windows\Tasks\ckxuivmfpkodgmxklwe.job	nfmfg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5366cfb7213ba42e13f5a07ba83a6353.exemgowgtd.exe

pid process

1792 5366cfb7213ba42e13f5a07ba83a6353.exe
548 mgowgtd.exe

pid	process
1792	5366cfb7213ba42e13f5a07ba83a6353.exe
548	mgowgtd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 468 wrote to memory of 1104	468	taskeng.exe	nfmfg.exe
PID 468 wrote to memory of 1104	468	taskeng.exe	nfmfg.exe
PID 468 wrote to memory of 1104	468	taskeng.exe	nfmfg.exe
PID 468 wrote to memory of 1104	468	taskeng.exe	nfmfg.exe
PID 468 wrote to memory of 548	468	taskeng.exe	mgowgtd.exe
PID 468 wrote to memory of 548	468	taskeng.exe	mgowgtd.exe
PID 468 wrote to memory of 548	468	taskeng.exe	mgowgtd.exe
PID 468 wrote to memory of 548	468	taskeng.exe	mgowgtd.exe
PID 468 wrote to memory of 296	468	taskeng.exe	frbnnop.exe
PID 468 wrote to memory of 296	468	taskeng.exe	frbnnop.exe
PID 468 wrote to memory of 296	468	taskeng.exe	frbnnop.exe
PID 468 wrote to memory of 296	468	taskeng.exe	frbnnop.exe

C:\Users\Admin\AppData\Local\Temp\5366cfb7213ba42e13f5a07ba83a6353.exe
"C:\Users\Admin\AppData\Local\Temp\5366cfb7213ba42e13f5a07ba83a6353.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {7740D57C-F51B-411F-A0BD-03617B7CE5E9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:468

C:\ProgramData\wcji\nfmfg.exe
C:\ProgramData\wcji\nfmfg.exe start
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1104

C:\Windows\TEMP\mgowgtd.exe
C:\Windows\TEMP\mgowgtd.exe
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:548

C:\ProgramData\rfpqb\frbnnop.exe
C:\ProgramData\rfpqb\frbnnop.exe start
2⤵
- Executes dropped EXE
PID:296

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rfpqb\frbnnop.exe
Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\rfpqb\frbnnop.exe
Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\wcji\nfmfg.exe
Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\ProgramData\wcji\nfmfg.exe
Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\Windows\TEMP\mgowgtd.exe
Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
C:\Windows\Tasks\nfmfg.job
Filesize
226B

MD5
14c1f19915c9e7513175dd8d4a0c37bc

SHA1
d9cdeec40f95bb45b727a3b85b65dbe02b87d2d6

SHA256
993cbfc400721320d3e733381736f973c5553b312caade2fab2e952d6a825cc3

SHA512
f530680e6307ef6454f066a320097434024f6b85887d11afc7b45cdfa15d8dc7dd5ebf7150a65ac288b945449c27ae1a0b14a79995ac8bfc86c8bd699a4d11bc

Download Submit
C:\Windows\Temp\mgowgtd.exe
Filesize
253KB

MD5
5366cfb7213ba42e13f5a07ba83a6353

SHA1
958421f6fe7a2928578157c36b366578bc4e1b18

SHA256
0f88cfd80dda550bf8ed08966821d84f6344fa6110b248e1148f06109c9a9f96

SHA512
c91ec11e3b220a1723fe842329ac9fd23c468aaf7285db5d1fe47f4616e6053669d99a372e37d1055ee45ade04888b68ef35fd23b8b1f4a98e6e8a47008f6414

Download Submit
memory/296-75-0x0000000000000000-mapping.dmp

Download
memory/296-80-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/296-79-0x00000000005FB000-0x000000000060C000-memory.dmp

Filesize
68KB

Download
memory/296-77-0x00000000005FB000-0x000000000060C000-memory.dmp

Filesize
68KB

Download
memory/548-67-0x0000000000000000-mapping.dmp

Download
memory/548-69-0x00000000005BB000-0x00000000005CC000-memory.dmp

Filesize
68KB

Download
memory/548-72-0x00000000005BB000-0x00000000005CC000-memory.dmp

Filesize
68KB

Download
memory/548-73-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1104-62-0x000000000062B000-0x000000000063C000-memory.dmp

Filesize
68KB

Download
memory/1104-64-0x000000000062B000-0x000000000063C000-memory.dmp

Filesize
68KB

Download
memory/1104-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1104-60-0x0000000000000000-mapping.dmp

Download
memory/1792-58-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1792-55-0x0000000075E51000-0x0000000075E53000-memory.dmp

Filesize
8KB

Download
memory/1792-56-0x00000000008EB000-0x00000000008FC000-memory.dmp

Filesize
68KB

Download
memory/1792-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1792-54-0x00000000008EB000-0x00000000008FC000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing