systembc | c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3

Analysis

Target

c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3.exe
Size

959KB
MD5

c27c43f48a7c4d0b96bc66255c0ae238
SHA1

6c3909b126000bb7ac3a68be1fba98235f9a60f6
SHA256

c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3
SHA512

8862df7c99dd72a62e5b4ea6f702d8dd912d656bd0a123800d3499ab31799c446e080b6d5e9bd628e4cb90b29a8c38c842727c617fc86e58230f7f833830d9b7

Score

10^/10

systembc trojan

Family

systembc

179.43.178.96:4141

192.168.1.149:4141

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

usxjkfs.exe

pid process

848 usxjkfs.exe

pid	process
848	usxjkfs.exe

Drops file in Windows directory 2 IoCs

Processes:

c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3.exe

description	ioc	process
File created	C:\Windows\Tasks\usxjkfs.job	c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3.exe
File opened for modification	C:\Windows\Tasks\usxjkfs.job	c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1524 wrote to memory of 848	1524	taskeng.exe	usxjkfs.exe
PID 1524 wrote to memory of 848	1524	taskeng.exe	usxjkfs.exe
PID 1524 wrote to memory of 848	1524	taskeng.exe	usxjkfs.exe
PID 1524 wrote to memory of 848	1524	taskeng.exe	usxjkfs.exe

C:\Users\Admin\AppData\Local\Temp\c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3.exe
"C:\Users\Admin\AppData\Local\Temp\c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3.exe"
1⤵
- Drops file in Windows directory
PID:764

C:\Windows\system32\taskeng.exe
taskeng.exe {4F6510B5-070D-4564-8D6C-792F3328C99A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\ProgramData\pdau\usxjkfs.exe
  C:\ProgramData\pdau\usxjkfs.exe start
  2⤵
  - Executes dropped EXE
  PID:848

C:\ProgramData\pdau\usxjkfs.exe

MD5
c27c43f48a7c4d0b96bc66255c0ae238

SHA1
6c3909b126000bb7ac3a68be1fba98235f9a60f6

SHA256
c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3

SHA512
8862df7c99dd72a62e5b4ea6f702d8dd912d656bd0a123800d3499ab31799c446e080b6d5e9bd628e4cb90b29a8c38c842727c617fc86e58230f7f833830d9b7

Download Submit
C:\ProgramData\pdau\usxjkfs.exe

MD5
c27c43f48a7c4d0b96bc66255c0ae238

SHA1
6c3909b126000bb7ac3a68be1fba98235f9a60f6

SHA256
c7d25633a9eb2b9262d6906e5f8ecbc249cff461ea07cd740ac2d1a72d5d07c3

SHA512
8862df7c99dd72a62e5b4ea6f702d8dd912d656bd0a123800d3499ab31799c446e080b6d5e9bd628e4cb90b29a8c38c842727c617fc86e58230f7f833830d9b7

Download Submit
memory/764-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/764-55-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/764-56-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/848-58-0x0000000000000000-mapping.dmp

Download
memory/848-61-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download