systembc | c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

Analysis

Target

c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe
Size

259KB
MD5

1f4928730be377f7affb80c3f5305883
SHA1

50b760064a237f123f0f06a846b78cf58713cad1
SHA256

c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499
SHA512

58ecec71935ab0c490d1011da04aba3d694443b67c576421e6a9e4dc615a5f43b6ee84e2d9a3a48c2895fe28b94955604c2080de290b13ecc086127e5f4dfa54

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

chtugc.exe

pid process

1504 chtugc.exe

pid	process
1504	chtugc.exe

Drops file in Windows directory 2 IoCs

Processes:

c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe

description	ioc	process
File created	C:\Windows\Tasks\chtugc.job	c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe
File opened for modification	C:\Windows\Tasks\chtugc.job	c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1224 wrote to memory of 1504	1224	taskeng.exe	chtugc.exe
PID 1224 wrote to memory of 1504	1224	taskeng.exe	chtugc.exe
PID 1224 wrote to memory of 1504	1224	taskeng.exe	chtugc.exe
PID 1224 wrote to memory of 1504	1224	taskeng.exe	chtugc.exe

C:\Users\Admin\AppData\Local\Temp\c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe
"C:\Users\Admin\AppData\Local\Temp\c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499.exe"
1⤵
- Drops file in Windows directory
PID:748

C:\Windows\system32\taskeng.exe
taskeng.exe {F8305F25-EF87-4C8F-BB11-47EA250FEF4D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\ProgramData\rghi\chtugc.exe
C:\ProgramData\rghi\chtugc.exe start
2⤵
- Executes dropped EXE
PID:1504

C:\ProgramData\rghi\chtugc.exe
MD5
1f4928730be377f7affb80c3f5305883

SHA1
50b760064a237f123f0f06a846b78cf58713cad1

SHA256
c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

SHA512
58ecec71935ab0c490d1011da04aba3d694443b67c576421e6a9e4dc615a5f43b6ee84e2d9a3a48c2895fe28b94955604c2080de290b13ecc086127e5f4dfa54

Download Submit
C:\ProgramData\rghi\chtugc.exe
MD5
1f4928730be377f7affb80c3f5305883

SHA1
50b760064a237f123f0f06a846b78cf58713cad1

SHA256
c1d31fa7484170247564e89c97cc325d1f317fb8c8efe50e4d126c7881adf499

SHA512
58ecec71935ab0c490d1011da04aba3d694443b67c576421e6a9e4dc615a5f43b6ee84e2d9a3a48c2895fe28b94955604c2080de290b13ecc086127e5f4dfa54

Download Submit
memory/1504-3-0x0000000000000000-mapping.dmp

Download