systembc | e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e

Analysis

Target

eufive_20210826-113041.exe
Size

274KB
MD5

41d0be78075317aa1e18fb4fc4b4acf7
SHA1

eafbe46f2b0b403d55f2b9910381e765ebdcbcbf
SHA256

e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e
SHA512

10bee0ae29e007e1e65ecfc8f639615948a6f891e5e160bf6f57c1ebe8802527999252544dfa704e08466c7b1b6aec304dd0d9e209b427556a461bd06d87455c

Score

10^/10

systembc trojan

Family

systembc

31337.hk:4110

31337r.hk:4110

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ppdonn.exe

pid process

1676 ppdonn.exe

pid	process
1676	ppdonn.exe

Drops file in Windows directory 2 IoCs

Processes:

eufive_20210826-113041.exe

description	ioc	process
File created	C:\Windows\Tasks\ppdonn.job	eufive_20210826-113041.exe
File opened for modification	C:\Windows\Tasks\ppdonn.job	eufive_20210826-113041.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1568 wrote to memory of 1676	1568	taskeng.exe	ppdonn.exe
PID 1568 wrote to memory of 1676	1568	taskeng.exe	ppdonn.exe
PID 1568 wrote to memory of 1676	1568	taskeng.exe	ppdonn.exe
PID 1568 wrote to memory of 1676	1568	taskeng.exe	ppdonn.exe

C:\Users\Admin\AppData\Local\Temp\eufive_20210826-113041.exe
"C:\Users\Admin\AppData\Local\Temp\eufive_20210826-113041.exe"
1⤵
- Drops file in Windows directory
PID:1072

C:\Windows\system32\taskeng.exe
taskeng.exe {97B34DCB-8F8C-4A14-864D-C8427ACEE3E7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1568
- C:\ProgramData\rtdbgc\ppdonn.exe
  C:\ProgramData\rtdbgc\ppdonn.exe start
  2⤵
  - Executes dropped EXE
  PID:1676

C:\ProgramData\rtdbgc\ppdonn.exe

MD5
41d0be78075317aa1e18fb4fc4b4acf7

SHA1
eafbe46f2b0b403d55f2b9910381e765ebdcbcbf

SHA256
e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e

SHA512
10bee0ae29e007e1e65ecfc8f639615948a6f891e5e160bf6f57c1ebe8802527999252544dfa704e08466c7b1b6aec304dd0d9e209b427556a461bd06d87455c

Download Submit
C:\ProgramData\rtdbgc\ppdonn.exe

MD5
41d0be78075317aa1e18fb4fc4b4acf7

SHA1
eafbe46f2b0b403d55f2b9910381e765ebdcbcbf

SHA256
e2c8838fb5069229c2b558dce910f6c656fb94cac1dc96cb31f920ce8e72a30e

SHA512
10bee0ae29e007e1e65ecfc8f639615948a6f891e5e160bf6f57c1ebe8802527999252544dfa704e08466c7b1b6aec304dd0d9e209b427556a461bd06d87455c

Download Submit
memory/1072-60-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1072-61-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1072-62-0x0000000000400000-0x00000000023AE000-memory.dmp

Filesize
31.7MB

Download
memory/1676-64-0x0000000000000000-mapping.dmp

Download
memory/1676-67-0x0000000000400000-0x00000000023AE000-memory.dmp

Filesize
31.7MB

Download