systembc | 9da99aa6d8ecde5212228db30e5ce4576ab78a7e8abb0dc04a9b7b99ca3237a2

Analysis

Target

a66e1fe634f16366d92177630ff2767d.exe
Size

515KB
MD5

a66e1fe634f16366d92177630ff2767d
SHA1

77e6a598044ca41a16f72d136a85caab3e4e9c2f
SHA256

9da99aa6d8ecde5212228db30e5ce4576ab78a7e8abb0dc04a9b7b99ca3237a2
SHA512

6c35703ff405c37a173dcba627848148be19e33961d8d71d06362a11ce076ff0891044c51f9694d6f0a4cfcf262994232c96b4102aac9b1fa14bf4188b155f6b

Score

10^/10

systembc trojan

Family

systembc

185.215.113.32:4000

78.47.64.46:4000

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

a66e1fe634f16366d92177630ff2767d.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wow64.job	a66e1fe634f16366d92177630ff2767d.exe
File created	C:\Windows\Tasks\wow64.job	a66e1fe634f16366d92177630ff2767d.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1192 wrote to memory of 1584	1192	taskeng.exe	a66e1fe634f16366d92177630ff2767d.exe
PID 1192 wrote to memory of 1584	1192	taskeng.exe	a66e1fe634f16366d92177630ff2767d.exe
PID 1192 wrote to memory of 1584	1192	taskeng.exe	a66e1fe634f16366d92177630ff2767d.exe
PID 1192 wrote to memory of 1584	1192	taskeng.exe	a66e1fe634f16366d92177630ff2767d.exe

C:\Users\Admin\AppData\Local\Temp\a66e1fe634f16366d92177630ff2767d.exe
"C:\Users\Admin\AppData\Local\Temp\a66e1fe634f16366d92177630ff2767d.exe"
1⤵
- Drops file in Windows directory
PID:1092

C:\Windows\system32\taskeng.exe
taskeng.exe {69CCE3C6-528B-483A-B1C6-D7FFC99BB599} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\a66e1fe634f16366d92177630ff2767d.exe
C:\Users\Admin\AppData\Local\Temp\a66e1fe634f16366d92177630ff2767d.exe start
2⤵
PID:1584

memory/1092-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1092-60-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1092-61-0x00000000003F0000-0x00000000003F5000-memory.dmp

Filesize
20KB

Download
memory/1092-62-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1584-63-0x0000000000000000-mapping.dmp

Download
memory/1584-65-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1584-67-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download