systembc | 073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c

Resubmissions

27-12-2021 06:52

27-10-2021 06:35

25-10-2021 05:54

Target

073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
Size

331KB
MD5

bf03442f038443b9e4eff1081bb51c38
SHA1

c0c66486acc3c13ab842cb13a2a40ce316b7fc00
SHA256

073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c
SHA512

3eb5a6272b091e7a6a132dd09ed9d5739d67a6fc31a5289e63f4f0393288e4c44048a616c3514bddb8b0675b14c858224444d2926d38eeb1ad7a9c5d4307d733

Score

10^/10

systembc trojan

Family

systembc

185.173.39.49:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\wow64.job	073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
File created	C:\Windows\Tasks\wow64.job	073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1456 wrote to memory of 1404	1456	taskeng.exe	073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
PID 1456 wrote to memory of 1404	1456	taskeng.exe	073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
PID 1456 wrote to memory of 1404	1456	taskeng.exe	073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
PID 1456 wrote to memory of 1404	1456	taskeng.exe	073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe

C:\Users\Admin\AppData\Local\Temp\073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
"C:\Users\Admin\AppData\Local\Temp\073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe"
1⤵
- Drops file in Windows directory
PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {B203314B-A35B-4B99-9430-72D812D0C799} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe
  C:\Users\Admin\AppData\Local\Temp\073bc58ee928f589d0ed4fc556df8d11477c29590c5239bbb02392fcfe88458c.exe start
  2⤵
  PID:1404

memory/1404-58-0x0000000000000000-mapping.dmp

Download
memory/1404-59-0x000000000024B000-0x000000000025C000-memory.dmp

Filesize
68KB

Download
memory/1404-61-0x0000000000400000-0x0000000002DAA000-memory.dmp

Filesize
41.7MB

Download
memory/1936-54-0x00000000002AB000-0x00000000002BC000-memory.dmp

Filesize
68KB

Download
memory/1936-55-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/1936-56-0x00000000001C0000-0x00000000001C5000-memory.dmp

Filesize
20KB

Download
memory/1936-57-0x0000000000400000-0x0000000002DAA000-memory.dmp

Filesize
41.7MB

Download