systembc | d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1

Analysis

max time kernel
177s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
31-07-2022 06:52

Target

d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe
Size

165KB
MD5

299fd6f018adf3df8f4c0c49f43f3841
SHA1

16b95f12a1f30ea9f3d4c55fa468a5f7e8f5ef1e
SHA256

d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1
SHA512

cbfb0f7f0d5532ee2ca03f391980dbbbd031bf36f1d2b78140bc02ec5dd7c1b8dc8c0bb7d948ad56918a629959d5331a73047a91067e43760cadd3f942add886

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

rmhwloe.exe

pid process

1296 rmhwloe.exe
Drops file in Windows directory 1 IoCs

Processes:

d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe

description ioc process

File created C:\Windows\Tasks\corolina17.job d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe

pid process

2028 d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe

pid	process
1296	rmhwloe.exe

description	ioc	process
File created	C:\Windows\Tasks\corolina17.job	d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe

pid	process
2028	d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 956 wrote to memory of 1296	956	taskeng.exe	rmhwloe.exe
PID 956 wrote to memory of 1296	956	taskeng.exe	rmhwloe.exe
PID 956 wrote to memory of 1296	956	taskeng.exe	rmhwloe.exe
PID 956 wrote to memory of 1296	956	taskeng.exe	rmhwloe.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {A794FB28-14B6-4D7F-B5F9-58301E013069} S-1-5-21-4084403625-2215941253-1760665084-1000:LDLTPJLN\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:956

C:\ProgramData\vcmw\rmhwloe.exe
C:\ProgramData\vcmw\rmhwloe.exe start2
2⤵
- Executes dropped EXE
PID:1296

C:\ProgramData\vcmw\rmhwloe.exe
Filesize
165KB

MD5
299fd6f018adf3df8f4c0c49f43f3841

SHA1
16b95f12a1f30ea9f3d4c55fa468a5f7e8f5ef1e

SHA256
d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1

SHA512
cbfb0f7f0d5532ee2ca03f391980dbbbd031bf36f1d2b78140bc02ec5dd7c1b8dc8c0bb7d948ad56918a629959d5331a73047a91067e43760cadd3f942add886

Download Submit
C:\ProgramData\vcmw\rmhwloe.exe
Filesize
165KB

MD5
299fd6f018adf3df8f4c0c49f43f3841

SHA1
16b95f12a1f30ea9f3d4c55fa468a5f7e8f5ef1e

SHA256
d42f5b2eb36690d5187c90c79a4589bcb1b80121da533deb1cf23b7a451b56c1

SHA512
cbfb0f7f0d5532ee2ca03f391980dbbbd031bf36f1d2b78140bc02ec5dd7c1b8dc8c0bb7d948ad56918a629959d5331a73047a91067e43760cadd3f942add886

Download Submit
memory/1296-59-0x0000000000000000-mapping.dmp

Download
memory/1296-62-0x000000000028E000-0x0000000000292000-memory.dmp

Filesize
16KB

Download
memory/1296-63-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2028-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/2028-55-0x000000000063E000-0x0000000000642000-memory.dmp

Filesize
16KB

Download
memory/2028-56-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2028-57-0x000000000063E000-0x0000000000642000-memory.dmp

Filesize
16KB

Download