systembc | 7d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728

max time kernel
260s
max time network
298s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09-02-2023 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5cacf2b43b8d5578156df066f2181117.exe
Size

217KB
MD5

5cacf2b43b8d5578156df066f2181117
SHA1

7e4e1385713db3e859bdd5ad6b503e7013b37796
SHA256

7d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728
SHA512

c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142
SSDEEP

6144:YkriDRJpv8UfcWtfJOxM3zeKqjrdySHy:YkwRT8ctROxM3z/CrcSHy

Score

10^/10

systembc trojan upx

Malware Config

Extracted

Family

systembc

advertx15.xyz:4044

spacex17.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

lwkahq.exe

pid process

4632 lwkahq.exe

pid	process
4632	lwkahq.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/632-132-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/632-133-0x0000000000400000-0x0000000000459000-memory.dmp	upx
C:\ProgramData\pgpfaej\lwkahq.exe	upx
C:\ProgramData\pgpfaej\lwkahq.exe	upx
behavioral2/memory/4632-138-0x0000000000400000-0x0000000000459000-memory.dmp	upx
behavioral2/memory/4632-139-0x0000000000400000-0x0000000000459000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

Processes:

5cacf2b43b8d5578156df066f2181117.exe

description	ioc	process
File created	C:\Windows\Tasks\lwkahq.job	5cacf2b43b8d5578156df066f2181117.exe
File opened for modification	C:\Windows\Tasks\lwkahq.job	5cacf2b43b8d5578156df066f2181117.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5cacf2b43b8d5578156df066f2181117.exe

pid process

632 5cacf2b43b8d5578156df066f2181117.exe
632 5cacf2b43b8d5578156df066f2181117.exe

pid	process
632	5cacf2b43b8d5578156df066f2181117.exe
632	5cacf2b43b8d5578156df066f2181117.exe

C:\Users\Admin\AppData\Local\Temp\5cacf2b43b8d5578156df066f2181117.exe
"C:\Users\Admin\AppData\Local\Temp\5cacf2b43b8d5578156df066f2181117.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:632

C:\ProgramData\pgpfaej\lwkahq.exe
C:\ProgramData\pgpfaej\lwkahq.exe start2
1⤵
- Executes dropped EXE
PID:4632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\pgpfaej\lwkahq.exe
Filesize
217KB

MD5
5cacf2b43b8d5578156df066f2181117

SHA1
7e4e1385713db3e859bdd5ad6b503e7013b37796

SHA256
7d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728

SHA512
c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142

Download Submit
C:\ProgramData\pgpfaej\lwkahq.exe
Filesize
217KB

MD5
5cacf2b43b8d5578156df066f2181117

SHA1
7e4e1385713db3e859bdd5ad6b503e7013b37796

SHA256
7d17668ad7a09802bbf39bd76093ddb9658d74cffaefc3528463b77573802728

SHA512
c7a1e2fafc31d2ce366f5130d28835afdb88f9298fede4121c812f2d5222ff8d855f31e11e54b5b44fbc1d376e16103f0a04794baac62618c72f00aaef6a8142

Download Submit
memory/632-132-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/632-133-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/632-134-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/632-135-0x0000000002270000-0x00000000022A4000-memory.dmp

Filesize
208KB

Download
memory/632-142-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4632-138-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4632-139-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4632-140-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4632-141-0x0000000002730000-0x0000000002764000-memory.dmp

Filesize
208KB

Download
memory/4632-143-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download