systembc | 609107e7e71a4899fa5496da826c92a2ca05134e7f79b0bbda280696de45f937

General

Target

83514393db26424b554847acb66e57c2.exe
Size

109KB
MD5

83514393db26424b554847acb66e57c2
SHA1

f011dac01e0e0552c2f42665e444cab907394353
SHA256

609107e7e71a4899fa5496da826c92a2ca05134e7f79b0bbda280696de45f937
SHA512

5899f1f574e8ae7f607267ada11b193ec5662a437d4db30aa2804f682779fa493369109aea27c57d6a8f190cd74ace17507df9ec06cabb235cb5b8453448de59
SSDEEP

3072:z4CKjfWVRLecKlAG1OCRpwI1KCnLAHa15:yW7ZUO+OIUCLAHa15

Score

10^/10

systembc trojan upx

Malware Config

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

kncix.exekncix.exe

pid process

3952 kncix.exe
2092 kncix.exe

pid	process
3952	kncix.exe
2092	kncix.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4916-132-0x0000000000400000-0x000000000044A000-memory.dmp	upx
C:\ProgramData\bldtwe\kncix.exe	upx
C:\ProgramData\bldtwe\kncix.exe	upx
behavioral2/memory/3952-139-0x0000000000400000-0x000000000044A000-memory.dmp	upx
C:\ProgramData\bldtwe\kncix.exe	upx

Unexpected DNS network traffic destination 49 IoCs

Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description	ioc
Destination IP	104.238.186.189
Destination IP	162.248.241.94
Destination IP	144.76.133.38
Destination IP	51.255.211.146
Destination IP	111.67.20.8
Destination IP	31.171.251.118
Destination IP	66.165.251.19
Destination IP	51.255.48.78
Destination IP	51.15.119.63
Destination IP	198.206.14.241
Destination IP	176.126.70.119
Destination IP	18.211.225.60
Destination IP	104.37.195.178
Destination IP	69.164.196.21
Destination IP	212.24.98.54
Destination IP	185.117.154.144
Destination IP	142.4.204.111
Destination IP	185.208.208.141
Destination IP	217.12.210.54
Destination IP	139.99.96.146
Destination IP	128.52.130.209
Destination IP	163.53.248.170
Destination IP	103.236.162.119
Destination IP	192.71.245.208
Destination IP	87.98.175.85
Destination IP	178.17.170.179
Destination IP	91.217.137.37
Destination IP	103.114.191.33
Destination IP	51.15.98.97
Destination IP	94.247.43.254
Destination IP	66.70.211.246
Destination IP	172.98.193.42
Destination IP	5.132.191.104
Destination IP	5.135.183.146
Destination IP	192.99.85.244
Destination IP	92.222.97.145
Destination IP	35.196.105.24
Destination IP	95.181.211.6
Destination IP	142.4.205.47
Destination IP	82.196.9.45
Destination IP	188.165.200.156
Destination IP	193.183.98.66
Destination IP	89.46.223.237
Destination IP	89.35.39.64
Destination IP	94.16.114.254
Destination IP	163.172.185.51
Destination IP	89.18.27.167
Destination IP	37.59.40.15
Destination IP	45.71.112.70

Drops file in Windows directory 2 IoCs

Processes:

83514393db26424b554847acb66e57c2.exe

description	ioc	process
File created	C:\Windows\Tasks\corolina17.job	83514393db26424b554847acb66e57c2.exe
File opened for modification	C:\Windows\Tasks\corolina17.job	83514393db26424b554847acb66e57c2.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1232 4916 WerFault.exe 83514393db26424b554847acb66e57c2.exe
2920 3952 WerFault.exe kncix.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

83514393db26424b554847acb66e57c2.exe

pid process

4916 83514393db26424b554847acb66e57c2.exe
4916 83514393db26424b554847acb66e57c2.exe

pid	pid_target	process	target process
1232	4916	WerFault.exe	83514393db26424b554847acb66e57c2.exe
2920	3952	WerFault.exe	kncix.exe

pid	process
4916	83514393db26424b554847acb66e57c2.exe
4916	83514393db26424b554847acb66e57c2.exe

C:\Users\Admin\AppData\Local\Temp\83514393db26424b554847acb66e57c2.exe
"C:\Users\Admin\AppData\Local\Temp\83514393db26424b554847acb66e57c2.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 468
2⤵
- Program crash
PID:1232

C:\ProgramData\bldtwe\kncix.exe
C:\ProgramData\bldtwe\kncix.exe start2
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 468
2⤵
- Program crash
PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4916 -ip 4916
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3952 -ip 3952
1⤵
PID:3008

C:\ProgramData\bldtwe\kncix.exe
C:\ProgramData\bldtwe\kncix.exe start2
1⤵
- Executes dropped EXE
PID:2092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bldtwe\kncix.exe
Filesize
109KB

MD5
83514393db26424b554847acb66e57c2

SHA1
f011dac01e0e0552c2f42665e444cab907394353

SHA256
609107e7e71a4899fa5496da826c92a2ca05134e7f79b0bbda280696de45f937

SHA512
5899f1f574e8ae7f607267ada11b193ec5662a437d4db30aa2804f682779fa493369109aea27c57d6a8f190cd74ace17507df9ec06cabb235cb5b8453448de59

Download Submit
C:\ProgramData\bldtwe\kncix.exe
Filesize
109KB

MD5
83514393db26424b554847acb66e57c2

SHA1
f011dac01e0e0552c2f42665e444cab907394353

SHA256
609107e7e71a4899fa5496da826c92a2ca05134e7f79b0bbda280696de45f937

SHA512
5899f1f574e8ae7f607267ada11b193ec5662a437d4db30aa2804f682779fa493369109aea27c57d6a8f190cd74ace17507df9ec06cabb235cb5b8453448de59

Download Submit
C:\ProgramData\bldtwe\kncix.exe
Filesize
109KB

MD5
83514393db26424b554847acb66e57c2

SHA1
f011dac01e0e0552c2f42665e444cab907394353

SHA256
609107e7e71a4899fa5496da826c92a2ca05134e7f79b0bbda280696de45f937

SHA512
5899f1f574e8ae7f607267ada11b193ec5662a437d4db30aa2804f682779fa493369109aea27c57d6a8f190cd74ace17507df9ec06cabb235cb5b8453448de59

Download Submit
memory/2092-146-0x0000000000542000-0x0000000000546000-memory.dmp

Filesize
16KB

Download
memory/2092-145-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3952-139-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3952-140-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3952-141-0x000000000053D000-0x0000000000541000-memory.dmp

Filesize
16KB

Download
memory/3952-142-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4916-132-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4916-143-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4916-138-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download
memory/4916-135-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/4916-134-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads