systembc | d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626

Analysis

Target

e80b306acc8e716d906cdc517b64ca36.exe
Size

957KB
MD5

e80b306acc8e716d906cdc517b64ca36
SHA1

1955a7d549d010698ae87411655027b95ad806ce
SHA256

d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626
SHA512

a454be1f398986791783193354657218e07d50c957144b79ccbd861a1989ed297fead21081e759ba4999ecef81b1ab2a5095bc1c1aa4b88179cd4d9a85a6c398

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

gwadugt.exe

pid process

792 gwadugt.exe

pid	process
792	gwadugt.exe

Drops file in Windows directory 2 IoCs

Processes:

e80b306acc8e716d906cdc517b64ca36.exe

description	ioc	process
File created	C:\Windows\Tasks\gwadugt.job	e80b306acc8e716d906cdc517b64ca36.exe
File opened for modification	C:\Windows\Tasks\gwadugt.job	e80b306acc8e716d906cdc517b64ca36.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1592 wrote to memory of 792	1592	taskeng.exe	gwadugt.exe
PID 1592 wrote to memory of 792	1592	taskeng.exe	gwadugt.exe
PID 1592 wrote to memory of 792	1592	taskeng.exe	gwadugt.exe
PID 1592 wrote to memory of 792	1592	taskeng.exe	gwadugt.exe

C:\Users\Admin\AppData\Local\Temp\e80b306acc8e716d906cdc517b64ca36.exe
"C:\Users\Admin\AppData\Local\Temp\e80b306acc8e716d906cdc517b64ca36.exe"
1⤵
- Drops file in Windows directory
PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {03D1C81F-27DE-4EBD-8EB7-ED064745AF61} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\ProgramData\ewkjjil\gwadugt.exe
  C:\ProgramData\ewkjjil\gwadugt.exe start
  2⤵
  - Executes dropped EXE
  PID:792

C:\ProgramData\ewkjjil\gwadugt.exe

MD5
e80b306acc8e716d906cdc517b64ca36

SHA1
1955a7d549d010698ae87411655027b95ad806ce

SHA256
d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626

SHA512
a454be1f398986791783193354657218e07d50c957144b79ccbd861a1989ed297fead21081e759ba4999ecef81b1ab2a5095bc1c1aa4b88179cd4d9a85a6c398

Download Submit
C:\ProgramData\ewkjjil\gwadugt.exe

MD5
e80b306acc8e716d906cdc517b64ca36

SHA1
1955a7d549d010698ae87411655027b95ad806ce

SHA256
d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626

SHA512
a454be1f398986791783193354657218e07d50c957144b79ccbd861a1989ed297fead21081e759ba4999ecef81b1ab2a5095bc1c1aa4b88179cd4d9a85a6c398

Download Submit
memory/792-3-0x0000000000000000-mapping.dmp

Download