systembc | d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626 | Triage

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7v20201028
submitted
01/12/2020, 08:55

Sharing

Report Analysis Logs

General

Target

e80b306acc8e716d906cdc517b64ca36.exe
Size

957KB
MD5

e80b306acc8e716d906cdc517b64ca36
SHA1

1955a7d549d010698ae87411655027b95ad806ce
SHA256

d5ea30279fc37436f63d3c6275aad6a2c8abdcd32e10888200fae3e986cb9626
SHA512

a454be1f398986791783193354657218e07d50c957144b79ccbd861a1989ed297fead21081e759ba4999ecef81b1ab2a5095bc1c1aa4b88179cd4d9a85a6c398

Score

10^/10

systembc trojan

Malware Config

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
792	gwadugt.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\gwadugt.job	e80b306acc8e716d906cdc517b64ca36.exe
File opened for modification	C:\Windows\Tasks\gwadugt.job	e80b306acc8e716d906cdc517b64ca36.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 792	1592	taskeng.exe	30
PID 1592 wrote to memory of 792	1592	taskeng.exe	30
PID 1592 wrote to memory of 792	1592	taskeng.exe	30
PID 1592 wrote to memory of 792	1592	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\e80b306acc8e716d906cdc517b64ca36.exe
"C:\Users\Admin\AppData\Local\Temp\e80b306acc8e716d906cdc517b64ca36.exe"
1⤵
- Drops file in Windows directory
PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {03D1C81F-27DE-4EBD-8EB7-ED064745AF61} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\ProgramData\ewkjjil\gwadugt.exe
  C:\ProgramData\ewkjjil\gwadugt.exe start
  2⤵
  - Executes dropped EXE
  PID:792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads