systembc | ef464ed72b73590e6f1fe174116e925258d742e2de02a7684aa841015db767e6

Analysis

Target

s5.exe
Size

185KB
MD5

2207d926147a8ff6327a728a32f0365f
SHA1

f7222a178adf853494700d6375d42adca3289c30
SHA256

ef464ed72b73590e6f1fe174116e925258d742e2de02a7684aa841015db767e6
SHA512

cc5be59c9ad4426c6cac4f5421e6f4b1335e8cc62f8bf771526394dd2ada7520c77763bc948ad7f2e6600fb6ee13a65a86c160973911a39ffee31904123d3f80

Score

10^/10

systembc trojan

Family

systembc

178.20.41.173:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Drops file in Windows directory 2 IoCs

Processes:

s5.exe

description ioc process

File created C:\Windows\Tasks\wow64.job s5.exe
File opened for modification C:\Windows\Tasks\wow64.job s5.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	s5.exe
File opened for modification	C:\Windows\Tasks\wow64.job	s5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1492 wrote to memory of 1616	1492	taskeng.exe	s5.exe
PID 1492 wrote to memory of 1616	1492	taskeng.exe	s5.exe
PID 1492 wrote to memory of 1616	1492	taskeng.exe	s5.exe
PID 1492 wrote to memory of 1616	1492	taskeng.exe	s5.exe

C:\Users\Admin\AppData\Local\Temp\s5.exe
"C:\Users\Admin\AppData\Local\Temp\s5.exe"
1⤵
- Drops file in Windows directory
PID:1588

C:\Windows\system32\taskeng.exe
taskeng.exe {54E40342-6422-47A8-BCE9-75F22BB94B70} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\s5.exe
  C:\Users\Admin\AppData\Local\Temp\s5.exe start
  2⤵
  PID:1616

memory/1588-55-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1588-56-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1588-57-0x0000000000240000-0x0000000000245000-memory.dmp

Filesize
20KB

Download
memory/1588-58-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1616-59-0x0000000000000000-mapping.dmp

Download
memory/1616-61-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download