systembc | 98d7c67283bb7b7793a7b1fc6b9d6a0e0a1cfa87b0e1a5fd903cb7a23ce81d82

Analysis

Target

62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe
Size

33KB
MD5

8363135b1c443a979ccc232d67c4db6e
SHA1

269208672fe7ea3a4d333fffb5ab4611d396053a
SHA256

62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5
SHA512

a8e395e77503d7e24145eec84ffd06c117482d378122d1748c60c4a3702d93174da6da87eafeb724e1a0776328ed45faf8c13d3fead476af6271e54028cf0fa7

Score

10^/10

systembc trojan

Family

systembc

websitetbox.com:4035

backupboxsite.com:4035

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

hwesa.exe

pid process

1724 hwesa.exe

pid	process
1724	hwesa.exe

Drops file in Windows directory 2 IoCs

Processes:

62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe

description	ioc	process
File created	C:\Windows\Tasks\hwesa.job	62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe
File opened for modification	C:\Windows\Tasks\hwesa.job	62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe

pid process

1980 62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe

pid	process
1980	62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 660 wrote to memory of 1724	660	taskeng.exe	hwesa.exe
PID 660 wrote to memory of 1724	660	taskeng.exe	hwesa.exe
PID 660 wrote to memory of 1724	660	taskeng.exe	hwesa.exe
PID 660 wrote to memory of 1724	660	taskeng.exe	hwesa.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {A4A2E671-F7EA-438C-8432-279E8B49B89B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:660
- C:\ProgramData\uiaiam\hwesa.exe
  C:\ProgramData\uiaiam\hwesa.exe start
  2⤵
  - Executes dropped EXE
  PID:1724

C:\ProgramData\uiaiam\hwesa.exe

MD5
8363135b1c443a979ccc232d67c4db6e

SHA1
269208672fe7ea3a4d333fffb5ab4611d396053a

SHA256
62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5

SHA512
a8e395e77503d7e24145eec84ffd06c117482d378122d1748c60c4a3702d93174da6da87eafeb724e1a0776328ed45faf8c13d3fead476af6271e54028cf0fa7

Download Submit
C:\ProgramData\uiaiam\hwesa.exe

MD5
8363135b1c443a979ccc232d67c4db6e

SHA1
269208672fe7ea3a4d333fffb5ab4611d396053a

SHA256
62b76c6b344a690944da5a9348059f55f60ceded8f526b6c424d0ff43f8b74e5

SHA512
a8e395e77503d7e24145eec84ffd06c117482d378122d1748c60c4a3702d93174da6da87eafeb724e1a0776328ed45faf8c13d3fead476af6271e54028cf0fa7

Download Submit
memory/1724-62-0x0000000000000000-mapping.dmp

Download
memory/1980-60-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download