systembc | 550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919

Analysis

Target

550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
Size

310KB
MD5

455dea94a907225687474ee6e3206c0c
SHA1

23f0a35eb339aa4d7ed9040082daf13ac1db4959
SHA256

550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919
SHA512

dbe42bcc911441ebd309c3df9340b000f35514d5bb6a5729a379ca770959c227fcc19d2c727dccaea23e47fcd5ee46290c055e249367aef37886f88102076b15

Score

10^/10

systembc trojan

Family

systembc

207.32.216.202:4211

192.53.123.202:4211

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
File opened for modification	C:\Windows\Tasks\wow64.job	550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 652 wrote to memory of 1168	652	taskeng.exe	550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
PID 652 wrote to memory of 1168	652	taskeng.exe	550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
PID 652 wrote to memory of 1168	652	taskeng.exe	550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
PID 652 wrote to memory of 1168	652	taskeng.exe	550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe

C:\Users\Admin\AppData\Local\Temp\550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
"C:\Users\Admin\AppData\Local\Temp\550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe"
1⤵
- Drops file in Windows directory
PID:1288

C:\Windows\system32\taskeng.exe
taskeng.exe {3AD42A71-8FB6-4B85-9FB3-EA30733FB53E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe
C:\Users\Admin\AppData\Local\Temp\550c8e114b13d07fe8fd7cd6e9915267996c6634c1e81f23ff9fe7da2ba74919.exe start
2⤵
PID:1168

memory/1168-59-0x0000000000580000-0x00000000005AD000-memory.dmp

Filesize
180KB

Download
memory/1168-62-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/1168-61-0x000000000059B000-0x00000000005AC000-memory.dmp

Filesize
68KB

Download
memory/1168-63-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/1288-54-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/1288-55-0x000000000050B000-0x000000000051C000-memory.dmp

Filesize
68KB

Download
memory/1288-56-0x00000000002A0000-0x00000000002A5000-memory.dmp

Filesize
20KB

Download
memory/1288-57-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1288-58-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download