systembc | c81c687949db0da1f1024238e01723a1145c5396e55bf81b5c154587b900ac4d

Analysis

Target

04017134f0091367122edfcb361e6295.exe
Size

718KB
MD5

04017134f0091367122edfcb361e6295
SHA1

9b07524703418b5ebb053226caf456e76839cd20
SHA256

c81c687949db0da1f1024238e01723a1145c5396e55bf81b5c154587b900ac4d
SHA512

8289a307a02d0b49e1deb5818deafd05186da270a38844901c0d18069c486335f28f4837392aad385467ea43af22bd0a35250abeefeba5e3f79509273e58516a

Score

10^/10

systembc trojan

Family

systembc

185.215.113.32:4000

78.47.64.46:4000

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

04017134f0091367122edfcb361e6295.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	04017134f0091367122edfcb361e6295.exe
File opened for modification	C:\Windows\Tasks\wow64.job	04017134f0091367122edfcb361e6295.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1732 wrote to memory of 1644	1732	taskeng.exe	04017134f0091367122edfcb361e6295.exe
PID 1732 wrote to memory of 1644	1732	taskeng.exe	04017134f0091367122edfcb361e6295.exe
PID 1732 wrote to memory of 1644	1732	taskeng.exe	04017134f0091367122edfcb361e6295.exe
PID 1732 wrote to memory of 1644	1732	taskeng.exe	04017134f0091367122edfcb361e6295.exe

C:\Users\Admin\AppData\Local\Temp\04017134f0091367122edfcb361e6295.exe
"C:\Users\Admin\AppData\Local\Temp\04017134f0091367122edfcb361e6295.exe"
1⤵
- Drops file in Windows directory
PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {ABFCC2A3-4BC8-476D-9F40-10CB7A671E67} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\04017134f0091367122edfcb361e6295.exe
  C:\Users\Admin\AppData\Local\Temp\04017134f0091367122edfcb361e6295.exe start
  2⤵
  PID:1644

memory/1052-60-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1052-61-0x0000000074D91000-0x0000000074D93000-memory.dmp

Filesize
8KB

Download
memory/1052-62-0x0000000000280000-0x0000000000285000-memory.dmp

Filesize
20KB

Download
memory/1052-63-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1644-64-0x0000000000000000-mapping.dmp

Download
memory/1644-68-0x0000000000400000-0x00000000004B9000-memory.dmp

Filesize
740KB

Download
memory/1644-66-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download