systembc | 2866a252b6007fe9487d85b87ed23f6dddaf2f4f8ccc82328212985bfc6dd5d5

Analysis

Target

ef135e02cd07e94c493061950ea99a3e.exe
Size

524KB
MD5

ef135e02cd07e94c493061950ea99a3e
SHA1

1b0cbec8bc066ebe12ab6a66e8e8901c2024bf03
SHA256

2866a252b6007fe9487d85b87ed23f6dddaf2f4f8ccc82328212985bfc6dd5d5
SHA512

3654bffbf3dcecd629fda6e5c1fb1b5d41c814ed321633d8beba964341009c7be47bbccbac137e79f6a694b3dc05a18f529b5f7e0305899760a1d5e4a3c94ec3

Score

10^/10

systembc trojan

Family

systembc

88.198.147.80:4174

78.47.64.46:4174

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 3 IoCs

Processes:

ef135e02cd07e94c493061950ea99a3e.exeef135e02cd07e94c493061950ea99a3e.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	ef135e02cd07e94c493061950ea99a3e.exe
File opened for modification	C:\Windows\Tasks\wow64.job	ef135e02cd07e94c493061950ea99a3e.exe
File created	C:\Windows\Tasks\trtscknvaijtwgjruef.job	ef135e02cd07e94c493061950ea99a3e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1700 wrote to memory of 824	1700	taskeng.exe	ef135e02cd07e94c493061950ea99a3e.exe
PID 1700 wrote to memory of 824	1700	taskeng.exe	ef135e02cd07e94c493061950ea99a3e.exe
PID 1700 wrote to memory of 824	1700	taskeng.exe	ef135e02cd07e94c493061950ea99a3e.exe
PID 1700 wrote to memory of 824	1700	taskeng.exe	ef135e02cd07e94c493061950ea99a3e.exe

C:\Users\Admin\AppData\Local\Temp\ef135e02cd07e94c493061950ea99a3e.exe
"C:\Users\Admin\AppData\Local\Temp\ef135e02cd07e94c493061950ea99a3e.exe"
1⤵
- Drops file in Windows directory
PID:540

C:\Windows\system32\taskeng.exe
taskeng.exe {4F961541-B8E6-4652-AFE2-DE4D9B81C850} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1700

C:\Users\Admin\AppData\Local\Temp\ef135e02cd07e94c493061950ea99a3e.exe
C:\Users\Admin\AppData\Local\Temp\ef135e02cd07e94c493061950ea99a3e.exe start
2⤵
- Drops file in Windows directory
PID:824

memory/540-60-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/540-62-0x0000000000380000-0x0000000000385000-memory.dmp

Filesize
20KB

Download
memory/540-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/540-63-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/824-64-0x0000000000000000-mapping.dmp

Download
memory/824-66-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/824-68-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download