systembc | b9c6bfa4ad09302620dfe9c7edf398cb3a6249c7cdd8d9be61395d857083a3c3

Analysis

Target

9f2cc4d1d0c599bab186692c518d3193.exe
Size

780KB
MD5

9f2cc4d1d0c599bab186692c518d3193
SHA1

968c9f9a7829c77d8d9553accb9dbd9ead717386
SHA256

b9c6bfa4ad09302620dfe9c7edf398cb3a6249c7cdd8d9be61395d857083a3c3
SHA512

aca1f7c734652dc537e3c2cb5204dc7e682a28d9941e870a7bfba964a7236fc1219537ae3558017e9e48dd6a016fb342f1ae2aa4d84e41f619200d5e4900f159

Score

10^/10

systembc trojan

Family

systembc

185.215.113.32:4000

78.47.64.46:4000

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

9f2cc4d1d0c599bab186692c518d3193.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	9f2cc4d1d0c599bab186692c518d3193.exe
File opened for modification	C:\Windows\Tasks\wow64.job	9f2cc4d1d0c599bab186692c518d3193.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1756 wrote to memory of 904	1756	taskeng.exe	9f2cc4d1d0c599bab186692c518d3193.exe
PID 1756 wrote to memory of 904	1756	taskeng.exe	9f2cc4d1d0c599bab186692c518d3193.exe
PID 1756 wrote to memory of 904	1756	taskeng.exe	9f2cc4d1d0c599bab186692c518d3193.exe
PID 1756 wrote to memory of 904	1756	taskeng.exe	9f2cc4d1d0c599bab186692c518d3193.exe

C:\Users\Admin\AppData\Local\Temp\9f2cc4d1d0c599bab186692c518d3193.exe
"C:\Users\Admin\AppData\Local\Temp\9f2cc4d1d0c599bab186692c518d3193.exe"
1⤵
- Drops file in Windows directory
PID:2004

C:\Windows\system32\taskeng.exe
taskeng.exe {2896C1B3-4495-4656-B8FE-B2994E9F3AFD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\9f2cc4d1d0c599bab186692c518d3193.exe
  C:\Users\Admin\AppData\Local\Temp\9f2cc4d1d0c599bab186692c518d3193.exe start
  2⤵
  PID:904

memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/904-68-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2004-60-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/2004-62-0x00000000003C0000-0x00000000003C5000-memory.dmp

Filesize
20KB

Download
memory/2004-63-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2004-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download