systembc | 35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1

Analysis

max time kernel
124s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
27-04-2022 15:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe
Size

265KB
MD5

b15da1de33a731f12b3574c1e6845a1c
SHA1

08c12f9d8032dcb1f465cb1b57b8c2bc267f2ba6
SHA256

35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1
SHA512

3df7cfa9fabd23119d8dbc1f99aafca7388aaae14fcdb9283fed7f7c29930ef9e2129160b94887371c1bdd78083fa3d57171b2405bd686a255b22fb5950f618f

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

advertrex20.xyz:4044

gentexman37.xyz:4044

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

fsnn.exe

pid process

1060 fsnn.exe

pid	process
1060	fsnn.exe

Drops file in Windows directory 2 IoCs

Processes:

35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe

description	ioc	process
File created	C:\Windows\Tasks\fsnn.job	35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe
File opened for modification	C:\Windows\Tasks\fsnn.job	35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe

pid process

1364 35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe

pid	process
1364	35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 848 wrote to memory of 1060	848	taskeng.exe	fsnn.exe
PID 848 wrote to memory of 1060	848	taskeng.exe	fsnn.exe
PID 848 wrote to memory of 1060	848	taskeng.exe	fsnn.exe
PID 848 wrote to memory of 1060	848	taskeng.exe	fsnn.exe

C:\Users\Admin\AppData\Local\Temp\35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe
"C:\Users\Admin\AppData\Local\Temp\35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1364

C:\Windows\system32\taskeng.exe
taskeng.exe {A9B74E2D-BE34-439C-BB44-942E3DE6158C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\ProgramData\wsgf\fsnn.exe
C:\ProgramData\wsgf\fsnn.exe start
2⤵
- Executes dropped EXE
PID:1060

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\wsgf\fsnn.exe
Filesize
265KB

MD5
b15da1de33a731f12b3574c1e6845a1c

SHA1
08c12f9d8032dcb1f465cb1b57b8c2bc267f2ba6

SHA256
35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1

SHA512
3df7cfa9fabd23119d8dbc1f99aafca7388aaae14fcdb9283fed7f7c29930ef9e2129160b94887371c1bdd78083fa3d57171b2405bd686a255b22fb5950f618f

Download Submit
C:\ProgramData\wsgf\fsnn.exe
Filesize
265KB

MD5
b15da1de33a731f12b3574c1e6845a1c

SHA1
08c12f9d8032dcb1f465cb1b57b8c2bc267f2ba6

SHA256
35081647c14bfe19928e04f3c04fec9f9a66e98b364d0d27f3f057b0f98186f1

SHA512
3df7cfa9fabd23119d8dbc1f99aafca7388aaae14fcdb9283fed7f7c29930ef9e2129160b94887371c1bdd78083fa3d57171b2405bd686a255b22fb5950f618f

Download Submit
memory/1060-59-0x0000000000000000-mapping.dmp

Download
memory/1364-54-0x0000000000020000-0x0000000000026000-memory.dmp

Filesize
24KB

Download
memory/1364-55-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/1364-56-0x0000000076461000-0x0000000076463000-memory.dmp

Filesize
8KB

Download
memory/1364-57-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download