systembc | c9f396388822102ed458dacc4b059a46c69ba11cb8b0785b9fb2ce8285abeb42

Analysis

Target

25f45cc971d7ee1d763f69508676f1c2.exe
Size

780KB
MD5

25f45cc971d7ee1d763f69508676f1c2
SHA1

4049dbeb342a4f9f65c56591301e4993bdcbf889
SHA256

c9f396388822102ed458dacc4b059a46c69ba11cb8b0785b9fb2ce8285abeb42
SHA512

bb0210d17b79b1b9397c64db2833c52f3c49579e991823a2a9b473659da67d4fa484f6de4181f78ec85dcdf89fb5f4a2f1190ca96235c1dae11739de6c4a91a5

Score

10^/10

systembc trojan

Family

systembc

185.215.113.32:4000

78.47.64.46:4000

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

25f45cc971d7ee1d763f69508676f1c2.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wow64.job	25f45cc971d7ee1d763f69508676f1c2.exe
File created	C:\Windows\Tasks\wow64.job	25f45cc971d7ee1d763f69508676f1c2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1768 wrote to memory of 1760	1768	taskeng.exe	25f45cc971d7ee1d763f69508676f1c2.exe
PID 1768 wrote to memory of 1760	1768	taskeng.exe	25f45cc971d7ee1d763f69508676f1c2.exe
PID 1768 wrote to memory of 1760	1768	taskeng.exe	25f45cc971d7ee1d763f69508676f1c2.exe
PID 1768 wrote to memory of 1760	1768	taskeng.exe	25f45cc971d7ee1d763f69508676f1c2.exe

C:\Users\Admin\AppData\Local\Temp\25f45cc971d7ee1d763f69508676f1c2.exe
"C:\Users\Admin\AppData\Local\Temp\25f45cc971d7ee1d763f69508676f1c2.exe"
1⤵
- Drops file in Windows directory
PID:1420

C:\Windows\system32\taskeng.exe
taskeng.exe {E351CF6A-F2AA-4E7E-AA82-FBA0068DB522} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\25f45cc971d7ee1d763f69508676f1c2.exe
  C:\Users\Admin\AppData\Local\Temp\25f45cc971d7ee1d763f69508676f1c2.exe start
  2⤵
  PID:1760

memory/1420-59-0x0000000074FB1000-0x0000000074FB3000-memory.dmp

Filesize
8KB

Download
memory/1420-61-0x00000000003E0000-0x00000000003E5000-memory.dmp

Filesize
20KB

Download
memory/1420-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1420-62-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1760-63-0x0000000000000000-mapping.dmp

Download
memory/1760-65-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1760-67-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download