systembc | 2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-01-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd7f488588b891094c27999d19388be9.exe
Size

255KB
MD5

cd7f488588b891094c27999d19388be9
SHA1

8f6d5e96247d0bd8c04842727f08b9fdaf879d06
SHA256

2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a
SHA512

b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188
SSDEEP

3072:gXiPmaJUdsa8HFq56I7HOeRUmPzGiX4KE8Z8j7ynXum1FYRlufdUJ66H:UEmaJUN4Ir6BiX4K5yj7ynXLFYQ+Jl

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

45.182.189.231:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

qfsrarl.exe

pid process

688 qfsrarl.exe

pid	process
688	qfsrarl.exe

Drops file in Windows directory 2 IoCs

Processes:

cd7f488588b891094c27999d19388be9.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\qfsrarl.job	cd7f488588b891094c27999d19388be9.exe
File created	C:\Windows\Tasks\qfsrarl.job	cd7f488588b891094c27999d19388be9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cd7f488588b891094c27999d19388be9.exe

pid process

1244 cd7f488588b891094c27999d19388be9.exe

pid	process
1244	cd7f488588b891094c27999d19388be9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1276 wrote to memory of 688	1276	taskeng.exe	qfsrarl.exe
PID 1276 wrote to memory of 688	1276	taskeng.exe	qfsrarl.exe
PID 1276 wrote to memory of 688	1276	taskeng.exe	qfsrarl.exe
PID 1276 wrote to memory of 688	1276	taskeng.exe	qfsrarl.exe

C:\Users\Admin\AppData\Local\Temp\cd7f488588b891094c27999d19388be9.exe
"C:\Users\Admin\AppData\Local\Temp\cd7f488588b891094c27999d19388be9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1244

C:\Windows\system32\taskeng.exe
taskeng.exe {0E240CDE-D8E9-4D8D-8A8F-4C82559D24A1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\ProgramData\uqbkf\qfsrarl.exe
C:\ProgramData\uqbkf\qfsrarl.exe start
2⤵
- Executes dropped EXE
PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\uqbkf\qfsrarl.exe
Filesize
255KB

MD5
cd7f488588b891094c27999d19388be9

SHA1
8f6d5e96247d0bd8c04842727f08b9fdaf879d06

SHA256
2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

SHA512
b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188

Download Submit
C:\ProgramData\uqbkf\qfsrarl.exe
Filesize
255KB

MD5
cd7f488588b891094c27999d19388be9

SHA1
8f6d5e96247d0bd8c04842727f08b9fdaf879d06

SHA256
2a9262660a612c10017d661e2cd82a2e1dabef943542e83bc0f72426622a761a

SHA512
b8d90f7b60d90d269239da9b8845d84e546da2135aa3f444e84efd52b347cc96d46440ed2f728489e281ffad1cf220697c6bfa57137c9f3e44632102a408d188

Download Submit
memory/688-59-0x0000000000000000-mapping.dmp

Download
memory/688-61-0x0000000002D58000-0x0000000002D6E000-memory.dmp

Filesize
88KB

Download
memory/688-64-0x0000000002D58000-0x0000000002D6E000-memory.dmp

Filesize
88KB

Download
memory/688-65-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/688-66-0x0000000002D58000-0x0000000002D6E000-memory.dmp

Filesize
88KB

Download
memory/1244-54-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1244-55-0x00000000002A9000-0x00000000002BE000-memory.dmp

Filesize
84KB

Download
memory/1244-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/1244-57-0x0000000000400000-0x0000000002C2E000-memory.dmp

Filesize
40.2MB

Download
memory/1244-62-0x00000000002A9000-0x00000000002BE000-memory.dmp

Filesize
84KB

Download