systembc | 5a8bff61d763ebedce54e24428a041cb5276b5ffad92e009fd36203f122961ca

General

Target

5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
Size

507KB
MD5

d8f3abf2c283de95b8f1b8474220adfd
SHA1

3ca1423519539f0c608e2cc6f35e7a5a5977edb4
SHA256

5a8bff61d763ebedce54e24428a041cb5276b5ffad92e009fd36203f122961ca
SHA512

e6c8883caf517ab98773b3b5be78d2aa3a1bd01c55576cb4fbcc75ba3a39cd09f60482307a3ebc83fd91a5f5aca7731b188b932979df5f495351d70346fd2557

Score

10^/10

systembc trojan

Family

systembc

C2

mainscpnl.xyz:4207

backpscpnl.xyz:4207

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in System32 directory 2 IoCs

Processes:

5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Obsidium\{49E7EF38-814504E7-31140760-52C4F6AE}.1443228313920530249	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\.obs32\{49E7EF38-814504E7-31140760-52C4F6AE}.1443228313920530249	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe

Drops file in Windows directory 2 IoCs

Processes:

5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
File opened for modification	C:\Windows\Tasks\wow64.job	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 384 wrote to memory of 1228	384	taskeng.exe	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
PID 384 wrote to memory of 1228	384	taskeng.exe	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
PID 384 wrote to memory of 1228	384	taskeng.exe	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
PID 384 wrote to memory of 1228	384	taskeng.exe	5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe

C:\Users\Admin\AppData\Local\Temp\5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
"C:\Users\Admin\AppData\Local\Temp\5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe"
1⤵
- Drops file in Windows directory
PID:1876

C:\Windows\system32\taskeng.exe
taskeng.exe {6FB61CB7-07E1-4BA3-B1BB-54704A828E32} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe
C:\Users\Admin\AppData\Local\Temp\5a8bff61d763ebedce54e24428a041cb5276b5ffad92e.exe start
2⤵
- Drops file in System32 directory
PID:1228

memory/1228-65-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1228-66-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1228-67-0x00000000004F0000-0x00000000004F7000-memory.dmp

Filesize
28KB

Download
memory/1228-73-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1228-72-0x0000000000540000-0x000000000057B000-memory.dmp

Filesize
236KB

Download
memory/1876-54-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/1876-56-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1876-55-0x0000000000400000-0x00000000004C1000-memory.dmp

Filesize
772KB

Download
memory/1876-58-0x0000000001D70000-0x0000000001D71000-memory.dmp

Filesize
4KB

Download
memory/1876-57-0x00000000003C0000-0x00000000003FB000-memory.dmp

Filesize
236KB

Download
memory/1876-59-0x0000000000370000-0x0000000000377000-memory.dmp

Filesize
28KB

Download