systembc | 330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52

Analysis

Target

dwe.exe
Size

708KB
MD5

9b5faf228e2047d8d912e406f9a6eca3
SHA1

5aa586a0cd2edf8ddacaa72853a1eb80a50b975b
SHA256

330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52
SHA512

5684f2a0a9aedacd590eeb76fe8812f08722af76df70fb6698ebf06f0a3db700a3049af26ea76bbc88900c4b109e4bfc19d4c7405497269a609a7c5c2354ac92

Score

10^/10

Family

systembc

78.141.210.78:443

45.141.87.60:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

Processes:

resource	yara_rule
behavioral1/memory/1432-5-0x0000000000240000-0x0000000000246000-memory.dmp	dave

Drops file in Windows directory 2 IoCs

Processes:

dwe.exe

description ioc process

File created C:\Windows\Tasks\wow64.job dwe.exe
File opened for modification C:\Windows\Tasks\wow64.job dwe.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

dwe.exedwe.exe

pid process

1432 dwe.exe
1432 dwe.exe
1860 dwe.exe
1860 dwe.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	dwe.exe
File opened for modification	C:\Windows\Tasks\wow64.job	dwe.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1836 wrote to memory of 1860	1836	taskeng.exe	dwe.exe
PID 1836 wrote to memory of 1860	1836	taskeng.exe	dwe.exe
PID 1836 wrote to memory of 1860	1836	taskeng.exe	dwe.exe
PID 1836 wrote to memory of 1860	1836	taskeng.exe	dwe.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {D4B49C4F-456D-456D-A0E6-38D0078F4ADD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\dwe.exe
C:\Users\Admin\AppData\Local\Temp\dwe.exe start
2⤵
- Suspicious use of SetWindowsHookEx
PID:1860

memory/1432-2-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1432-3-0x00000000002D0000-0x00000000002D9000-memory.dmp

Filesize
36KB

Download
memory/1432-4-0x00000000002E0000-0x00000000002E7000-memory.dmp

Filesize
28KB

Download
memory/1432-5-0x0000000000240000-0x0000000000246000-memory.dmp

Filesize
24KB

Download
memory/1860-6-0x0000000000000000-mapping.dmp

Download
memory/1860-8-0x0000000000510000-0x0000000000519000-memory.dmp

Filesize
36KB

Download
memory/1860-9-0x0000000000520000-0x0000000000527000-memory.dmp

Filesize
28KB

Download