systembc | 6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382

General

Target

6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe
Size

336KB
MD5

55ec8d87ea82b509064ed7f1cf4123d2
SHA1

915988dada7cdff3ae640e9a95900e506af45384
SHA256

6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382
SHA512

ab57a206a465ecba1004ec4088ecf91f6a790052b3d729fa80d96716de1ee5c3458148e63cf7b989b6b5ef5492e9df23f21514dfc8997aac86a596e6a87150c1
SSDEEP

6144:P5gQhByOZWJjbr4Khyryyz+Tn5nAOlAOy8ZeqpSsfk9I:P5gtOZWJHrNhLT5nMLbb0k9I

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

advertserv7.world:4044

statexadvert.club:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

msgfmdc.exemsgfmdc.exe

pid process

1496 msgfmdc.exe
1900 msgfmdc.exe

pid	process
1496	msgfmdc.exe
1900	msgfmdc.exe

Drops file in Windows directory 2 IoCs

Processes:

6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\msgfmdc.job	6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe
File created	C:\Windows\Tasks\msgfmdc.job	6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe

pid process

1908 6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe

pid	process
1908	6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1340 wrote to memory of 1496	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1496	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1496	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1496	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1900	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1900	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1900	1340	taskeng.exe	msgfmdc.exe
PID 1340 wrote to memory of 1900	1340	taskeng.exe	msgfmdc.exe

C:\Users\Admin\AppData\Local\Temp\6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe
"C:\Users\Admin\AppData\Local\Temp\6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1908

C:\Windows\system32\taskeng.exe
taskeng.exe {DAA82CA9-558B-44FA-A167-92B6BED28F8F} S-1-5-21-2292972927-2705560509-2768824231-1000:GRXNNIIE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1340

C:\ProgramData\ckoofs\msgfmdc.exe
C:\ProgramData\ckoofs\msgfmdc.exe start2
2⤵
- Executes dropped EXE
PID:1496

C:\ProgramData\ckoofs\msgfmdc.exe
C:\ProgramData\ckoofs\msgfmdc.exe start2
2⤵
- Executes dropped EXE
PID:1900

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ckoofs\msgfmdc.exe
Filesize
336KB

MD5
55ec8d87ea82b509064ed7f1cf4123d2

SHA1
915988dada7cdff3ae640e9a95900e506af45384

SHA256
6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382

SHA512
ab57a206a465ecba1004ec4088ecf91f6a790052b3d729fa80d96716de1ee5c3458148e63cf7b989b6b5ef5492e9df23f21514dfc8997aac86a596e6a87150c1

Download Submit
C:\ProgramData\ckoofs\msgfmdc.exe
Filesize
336KB

MD5
55ec8d87ea82b509064ed7f1cf4123d2

SHA1
915988dada7cdff3ae640e9a95900e506af45384

SHA256
6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382

SHA512
ab57a206a465ecba1004ec4088ecf91f6a790052b3d729fa80d96716de1ee5c3458148e63cf7b989b6b5ef5492e9df23f21514dfc8997aac86a596e6a87150c1

Download Submit
C:\ProgramData\ckoofs\msgfmdc.exe
Filesize
336KB

MD5
55ec8d87ea82b509064ed7f1cf4123d2

SHA1
915988dada7cdff3ae640e9a95900e506af45384

SHA256
6614825f130ac2aa068a6693e59592bbe9b16dfae0642c7fb61ffed9ee509382

SHA512
ab57a206a465ecba1004ec4088ecf91f6a790052b3d729fa80d96716de1ee5c3458148e63cf7b989b6b5ef5492e9df23f21514dfc8997aac86a596e6a87150c1

Download Submit
memory/1496-62-0x0000000002959000-0x0000000002961000-memory.dmp

Filesize
32KB

Download
memory/1496-64-0x0000000000400000-0x0000000002858000-memory.dmp

Filesize
36.3MB

Download
memory/1496-66-0x0000000002959000-0x0000000002961000-memory.dmp

Filesize
32KB

Download
memory/1496-60-0x0000000000000000-mapping.dmp

Download
memory/1496-65-0x0000000000400000-0x0000000002858000-memory.dmp

Filesize
36.3MB

Download
memory/1900-67-0x0000000000000000-mapping.dmp

Download
memory/1900-69-0x0000000000400000-0x0000000002858000-memory.dmp

Filesize
36.3MB

Download
memory/1900-70-0x00000000029D9000-0x00000000029E1000-memory.dmp

Filesize
32KB

Download
memory/1900-72-0x00000000029D9000-0x00000000029E1000-memory.dmp

Filesize
32KB

Download
memory/1900-73-0x0000000000400000-0x0000000002858000-memory.dmp

Filesize
36.3MB

Download
memory/1908-54-0x00000000029DA000-0x00000000029E2000-memory.dmp

Filesize
32KB

Download
memory/1908-56-0x0000000000400000-0x0000000002858000-memory.dmp

Filesize
36.3MB

Download
memory/1908-57-0x00000000029DA000-0x00000000029E2000-memory.dmp

Filesize
32KB

Download
memory/1908-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1908-58-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing