systembc | 330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52

Analysis

Target

GetUserNames.EXE
Size

708KB
MD5

9b5faf228e2047d8d912e406f9a6eca3
SHA1

5aa586a0cd2edf8ddacaa72853a1eb80a50b975b
SHA256

330690fd9d001e63f7aa537a28d326e7ffcd61d59ba140a637337ccad1cafb52
SHA512

5684f2a0a9aedacd590eeb76fe8812f08722af76df70fb6698ebf06f0a3db700a3049af26ea76bbc88900c4b109e4bfc19d4c7405497269a609a7c5c2354ac92

Score

10^/10

Family

systembc

78.141.210.78:443

45.141.87.60:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Dave packer 1 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

Processes:

resource	yara_rule
behavioral1/memory/1108-5-0x00000000001D0000-0x00000000001D6000-memory.dmp	dave

Drops file in Windows directory 2 IoCs

Processes:

GetUserNames.EXE

description ioc process

File created C:\Windows\Tasks\wow64.job GetUserNames.EXE
File opened for modification C:\Windows\Tasks\wow64.job GetUserNames.EXE
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

GetUserNames.EXEGetUserNames.EXE

pid process

1108 GetUserNames.EXE
1108 GetUserNames.EXE
1756 GetUserNames.EXE
1756 GetUserNames.EXE

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	GetUserNames.EXE
File opened for modification	C:\Windows\Tasks\wow64.job	GetUserNames.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1776 wrote to memory of 1756	1776	taskeng.exe	GetUserNames.EXE
PID 1776 wrote to memory of 1756	1776	taskeng.exe	GetUserNames.EXE
PID 1776 wrote to memory of 1756	1776	taskeng.exe	GetUserNames.EXE
PID 1776 wrote to memory of 1756	1776	taskeng.exe	GetUserNames.EXE

C:\Windows\system32\taskeng.exe
taskeng.exe {C2983E2A-E9E1-42D6-9EC0-4121F66EF442} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1776
- C:\Users\Admin\AppData\Local\Temp\GetUserNames.EXE
  C:\Users\Admin\AppData\Local\Temp\GetUserNames.EXE start
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1756

memory/1108-2-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1108-3-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/1108-4-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/1108-5-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1756-6-0x0000000000000000-mapping.dmp

Download
memory/1756-8-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/1756-9-0x00000000004C0000-0x00000000004C7000-memory.dmp

Filesize
28KB

Download