systembc | 902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff

Resubmissions

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04-06-2024 15:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lrthijawd.exe
Size

898KB
MD5

1b1ecd323162c054864b63ada693cd71
SHA1

333a67545a5d1aad4d73a3501f7152b4529b6b3e
SHA256

902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff
SHA512

f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71
SSDEEP

24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl

Score

10^/10

systembc trojan

Malware Config

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 27 IoCs

Processes:

work.exejergs.exedjsmwb.exedjsmwb.exedjsmwb.exemxbpe.exework.exework.exejergs.exelqwe.exejergs.exejergs.exework.exejergs.exework.exejergs.exework.exejergs.exework.exejergs.exework.exejergs.exework.exejergs.exegoxohaj.exegoxohaj.exegoxohaj.exe

pid	Process
2644	work.exe
2576	jergs.exe
2708	djsmwb.exe
2324	djsmwb.exe
1932	djsmwb.exe
2260	mxbpe.exe
2124	work.exe
888	work.exe
1560	jergs.exe
2756	lqwe.exe
2460	jergs.exe
2520	jergs.exe
2212	work.exe
2220	jergs.exe
2084	work.exe
2104	jergs.exe
2188	work.exe
1484	jergs.exe
2936	work.exe
2264	jergs.exe
1048	work.exe
2600	jergs.exe
1692	work.exe
1712	jergs.exe
1576	goxohaj.exe
716	goxohaj.exe
2732	goxohaj.exe

Loads dropped DLL 24 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

pid	Process
2540	cmd.exe
1204
1204
1204
1204
1204
1204
1204
1196	cmd.exe
2852	cmd.exe
1204
1204
1204
1204
1336	cmd.exe
1340	cmd.exe
2732	cmd.exe
3028	cmd.exe
2728	cmd.exe
2360	cmd.exe
1204
1204
1204
1204

Drops file in Windows directory 8 IoCs

Processes:

jergs.exedjsmwb.exejergs.exejergs.exe

description	ioc	Process
File created	C:\Windows\Tasks\djsmwb.job	jergs.exe
File opened for modification	C:\Windows\Tasks\djsmwb.job	jergs.exe
File created	C:\Windows\Tasks\mxbpe.job	djsmwb.exe
File opened for modification	C:\Windows\Tasks\mxbpe.job	djsmwb.exe
File created	C:\Windows\Tasks\lqwe.job	jergs.exe
File opened for modification	C:\Windows\Tasks\lqwe.job	jergs.exe
File created	C:\Windows\Tasks\goxohaj.job	jergs.exe
File opened for modification	C:\Windows\Tasks\goxohaj.job	jergs.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

goxohaj.exe

pid	Process
2732	goxohaj.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

jergs.exedjsmwb.exejergs.exejergs.exe

pid	Process
2576	jergs.exe
1932	djsmwb.exe
1560	jergs.exe
1712	jergs.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

work.exe

pid	Process
2124	work.exe
2124	work.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

lrthijawd.execmd.exework.exetaskeng.execmd.execmd.exelrthijawd.execmd.exework.exelrthijawd.execmd.exework.exelrthijawd.execmd.exework.exe

description	pid	Process	procid_target
PID 2792 wrote to memory of 2540	2792	lrthijawd.exe	28
PID 2792 wrote to memory of 2540	2792	lrthijawd.exe	28
PID 2792 wrote to memory of 2540	2792	lrthijawd.exe	28
PID 2540 wrote to memory of 2644	2540	cmd.exe	30
PID 2540 wrote to memory of 2644	2540	cmd.exe	30
PID 2540 wrote to memory of 2644	2540	cmd.exe	30
PID 2644 wrote to memory of 2576	2644	work.exe	31
PID 2644 wrote to memory of 2576	2644	work.exe	31
PID 2644 wrote to memory of 2576	2644	work.exe	31
PID 2644 wrote to memory of 2576	2644	work.exe	31
PID 2704 wrote to memory of 2708	2704	taskeng.exe	35
PID 2704 wrote to memory of 2708	2704	taskeng.exe	35
PID 2704 wrote to memory of 2708	2704	taskeng.exe	35
PID 2704 wrote to memory of 2708	2704	taskeng.exe	35
PID 2704 wrote to memory of 2260	2704	taskeng.exe	41
PID 2704 wrote to memory of 2260	2704	taskeng.exe	41
PID 2704 wrote to memory of 2260	2704	taskeng.exe	41
PID 2704 wrote to memory of 2260	2704	taskeng.exe	41
PID 1196 wrote to memory of 2124	1196	cmd.exe	47
PID 1196 wrote to memory of 2124	1196	cmd.exe	47
PID 1196 wrote to memory of 2124	1196	cmd.exe	47
PID 1308 wrote to memory of 1012	1308	cmd.exe	50
PID 1308 wrote to memory of 1012	1308	cmd.exe	50
PID 1308 wrote to memory of 1012	1308	cmd.exe	50
PID 1012 wrote to memory of 2852	1012	lrthijawd.exe	51
PID 1012 wrote to memory of 2852	1012	lrthijawd.exe	51
PID 1012 wrote to memory of 2852	1012	lrthijawd.exe	51
PID 2852 wrote to memory of 888	2852	cmd.exe	53
PID 2852 wrote to memory of 888	2852	cmd.exe	53
PID 2852 wrote to memory of 888	2852	cmd.exe	53
PID 888 wrote to memory of 1560	888	work.exe	54
PID 888 wrote to memory of 1560	888	work.exe	54
PID 888 wrote to memory of 1560	888	work.exe	54
PID 888 wrote to memory of 1560	888	work.exe	54
PID 2704 wrote to memory of 2756	2704	taskeng.exe	56
PID 2704 wrote to memory of 2756	2704	taskeng.exe	56
PID 2704 wrote to memory of 2756	2704	taskeng.exe	56
PID 2704 wrote to memory of 2756	2704	taskeng.exe	56
PID 1308 wrote to memory of 2440	1308	cmd.exe	59
PID 1308 wrote to memory of 2440	1308	cmd.exe	59
PID 1308 wrote to memory of 2440	1308	cmd.exe	59
PID 2440 wrote to memory of 1336	2440	lrthijawd.exe	60
PID 2440 wrote to memory of 1336	2440	lrthijawd.exe	60
PID 2440 wrote to memory of 1336	2440	lrthijawd.exe	60
PID 1336 wrote to memory of 2212	1336	cmd.exe	62
PID 1336 wrote to memory of 2212	1336	cmd.exe	62
PID 1336 wrote to memory of 2212	1336	cmd.exe	62
PID 2212 wrote to memory of 2220	2212	work.exe	63
PID 2212 wrote to memory of 2220	2212	work.exe	63
PID 2212 wrote to memory of 2220	2212	work.exe	63
PID 2212 wrote to memory of 2220	2212	work.exe	63
PID 1308 wrote to memory of 2576	1308	cmd.exe	64
PID 1308 wrote to memory of 2576	1308	cmd.exe	64
PID 1308 wrote to memory of 2576	1308	cmd.exe	64
PID 2576 wrote to memory of 1340	2576	lrthijawd.exe	65
PID 2576 wrote to memory of 1340	2576	lrthijawd.exe	65
PID 2576 wrote to memory of 1340	2576	lrthijawd.exe	65
PID 1340 wrote to memory of 2084	1340	cmd.exe	67
PID 1340 wrote to memory of 2084	1340	cmd.exe	67
PID 1340 wrote to memory of 2084	1340	cmd.exe	67
PID 2084 wrote to memory of 2104	2084	work.exe	68
PID 2084 wrote to memory of 2104	2084	work.exe	68
PID 2084 wrote to memory of 2104	2084	work.exe	68
PID 2084 wrote to memory of 2104	2084	work.exe	68

C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
"C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
    work.exe -priverdD
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:2576

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2712

C:\Windows\system32\taskeng.exe
taskeng.exe {89F3E185-B376-48BC-A89E-4316874BB0BC} S-1-5-21-3452737119-3959686427-228443150-1000:QGTQZTRE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2704
- C:\ProgramData\bfgh\djsmwb.exe
  C:\ProgramData\bfgh\djsmwb.exe start2
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\ProgramData\feed\mxbpe.exe
  C:\ProgramData\feed\mxbpe.exe start2
  2⤵
  - Executes dropped EXE
  PID:2260
- C:\ProgramData\wmwfit\lqwe.exe
  C:\ProgramData\wmwfit\lqwe.exe start2
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\ProgramData\gpkfto\goxohaj.exe
  C:\ProgramData\gpkfto\goxohaj.exe start2
  2⤵
  - Executes dropped EXE
  PID:1576

C:\ProgramData\bfgh\djsmwb.exe
"C:\ProgramData\bfgh\djsmwb.exe"
1⤵
- Executes dropped EXE
PID:2324

C:\ProgramData\bfgh\djsmwb.exe
"C:\ProgramData\bfgh\djsmwb.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1568

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
  work.exe -privD
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:2124

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1012
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\1.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX1\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1560
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX3\1.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX3\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2212
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX4\jergs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2220
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX2\1.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX2\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX5\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX5\jergs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2104
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  PID:2980
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX4\1.bat" "
    3⤵
    - Loads dropped DLL
    PID:2732
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX4\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      PID:2188
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX6\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX6\jergs.exe"
        5⤵
        Executes dropped EXE
        
        PID:1484
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  PID:1036
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX5\1.bat" "
    3⤵
    - Loads dropped DLL
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX5\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      PID:2936
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX7\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX7\jergs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2264
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  PID:796
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX6\1.bat" "
    3⤵
    - Loads dropped DLL
    PID:2728
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX6\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      PID:1048
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX8\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX8\jergs.exe"
        5⤵
        Executes dropped EXE
        
        PID:2600
- C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe
  lrthijawd.exe
  2⤵
  PID:2592
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX7\1.bat" "
    3⤵
    - Loads dropped DLL
    PID:2360
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX7\work.exe
      work.exe -priverdD
      4⤵
      Executes dropped EXE
      PID:1692
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX9\jergs.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX9\jergs.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1712

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe"
1⤵
- Executes dropped EXE
PID:2460

C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX2\jergs.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\ProgramData\gpkfto\goxohaj.exe
"C:\ProgramData\gpkfto\goxohaj.exe"
1⤵
- Executes dropped EXE
PID:716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2828
- C:\ProgramData\gpkfto\goxohaj.exe
  goxohaj.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe

Filesize
453KB

MD5
405b7fbe8c0ed98620064f0cd80f24c4

SHA1
bb9e45038e8a9f7b7cd0db62858ac65c74b74821

SHA256
9dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187

SHA512
3dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit
C:\Windows\Tasks\djsmwb.job

Filesize
230B

MD5
ffb51f81a2b3e23818b5c62b592228e9

SHA1
74efd38ce98cc775a2361f41c1e11a4e2a3d6531

SHA256
b4fbb12b73d0d75d0faf0f3ad97ed85d11dfbad51af0445a6596dd00c1500b32

SHA512
526900bc7d7b82e03b626bfffa4487879d7fb188c2331ee6c329806fb04301e34dc6f20888e677a187a410312727852bbdcd2344cf963f1fb25f1092ac452591

Download Submit
C:\Windows\Tasks\lqwe.job

Filesize
230B

MD5
99af5d7ce6365c9449ca2ca26b578909

SHA1
07a0ad441b842f395bb6b2974748a4500141cdfb

SHA256
e9ffcdd7be2dcd6ff5b9a6a0fbf75031bb053caaa9502d6d0dafa26a42acac6b

SHA512
07297b071c4f3110103b9e4013445ccc31c749ddb90e575735bbc9c0e830fbeaecaac13f452618095aa96e6cf30b4606ad1b7ae153a91efa6cff24fc7446f29b

Download Submit
C:\Windows\Tasks\mxbpe.job

Filesize
228B

MD5
ff3fe606655699802ac3d01a9336e9ad

SHA1
185dfb92bc2fddf9fb3c9f2caf2248b9c90ce4bd

SHA256
d569a7ce8e61047c5a3b8d236a16cf4e944c14fb57b1ad9db15ce1f4745a84d9

SHA512
679246b99bada764cc35aba0e5774da5cc5c7bece5bb19f1b3e391702e7f935b67a81e2ada25969425ad3f46cdf3fc66e084f318859602e4151ce3c3c56c5b69

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit