systembc | 195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1

Analysis

Target

195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe
Size

30KB
MD5

9e59c1246f4cb952549c2d12f32208cd
SHA1

6412f4e284a1d5fb720f4e1a9d1e08b5bf7a9e5d
SHA256

195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1
SHA512

2bbdc436a10792aeda2773466c08f919864c23e1503a8964b10990bd16a45054e0ed179d07872959a1eb6552a14a8f730ac6c44f9278057e732ee08c6e3ec494

Score

10^/10

systembc trojan

Family

systembc

104.217.8.100:5050

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

hwiis.exe

pid process

1344 hwiis.exe

pid	process
1344	hwiis.exe

Drops file in Windows directory 2 IoCs

Processes:

195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe

description	ioc	process
File created	C:\Windows\Tasks\hwiis.job	195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe
File opened for modification	C:\Windows\Tasks\hwiis.job	195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe

pid process

1064 195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe

pid	process
1064	195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1.bin.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1660 wrote to memory of 1344	1660	taskeng.exe	hwiis.exe
PID 1660 wrote to memory of 1344	1660	taskeng.exe	hwiis.exe
PID 1660 wrote to memory of 1344	1660	taskeng.exe	hwiis.exe
PID 1660 wrote to memory of 1344	1660	taskeng.exe	hwiis.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {BF4336EE-B5B0-4B77-A5CF-0E33DD4A9EF4} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\ProgramData\kgiapg\hwiis.exe
C:\ProgramData\kgiapg\hwiis.exe start
2⤵
- Executes dropped EXE
PID:1344

C:\ProgramData\kgiapg\hwiis.exe
MD5
9e59c1246f4cb952549c2d12f32208cd

SHA1
6412f4e284a1d5fb720f4e1a9d1e08b5bf7a9e5d

SHA256
195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1

SHA512
2bbdc436a10792aeda2773466c08f919864c23e1503a8964b10990bd16a45054e0ed179d07872959a1eb6552a14a8f730ac6c44f9278057e732ee08c6e3ec494

Download Submit
C:\ProgramData\kgiapg\hwiis.exe
MD5
9e59c1246f4cb952549c2d12f32208cd

SHA1
6412f4e284a1d5fb720f4e1a9d1e08b5bf7a9e5d

SHA256
195fa07b1f6fc1c8d4fab943f3b795beeb8cf44495e6e1cedfe0acbeb8a033a1

SHA512
2bbdc436a10792aeda2773466c08f919864c23e1503a8964b10990bd16a45054e0ed179d07872959a1eb6552a14a8f730ac6c44f9278057e732ee08c6e3ec494

Download Submit
memory/1064-2-0x0000000076101000-0x0000000076103000-memory.dmp

Filesize
8KB

Download
memory/1344-4-0x0000000000000000-mapping.dmp

Download