systembc | 68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c

Analysis

max time kernel
111s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-08-2022 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe
Size

16KB
MD5

d9033f945fd4ba1855ca5b24c3b81fa6
SHA1

b074cda2cf0db0a9fe46b85839cc8ca4f62c973f
SHA256

68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c
SHA512

af3e8e92fbd848164d93f2e1602fb1797cf2ef203a1e2fc969e790b4272d4b9a5f5d6931935818dd39ac77789b1614f19a7c1d33ea1cf4f9d267c4c7fe4d8bfa
SSDEEP

384:rC+AHNZw/WnlrobdglGbLMoy+yG+yir1dV:r0gklrydgQP1yO67V

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

localhost:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

khkmflb.exekhkmflb.exe

pid process

1080 khkmflb.exe
1672 khkmflb.exe

pid	process
1080	khkmflb.exe
1672	khkmflb.exe

Drops file in Windows directory 2 IoCs

Processes:

68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe

description	ioc	process
File created	C:\Windows\Tasks\khkmflb.job	68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe
File opened for modification	C:\Windows\Tasks\khkmflb.job	68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe

pid process

2020 68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe

pid	process
2020	68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1016 wrote to memory of 1080	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1080	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1080	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1080	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1672	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1672	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1672	1016	taskeng.exe	khkmflb.exe
PID 1016 wrote to memory of 1672	1016	taskeng.exe	khkmflb.exe

C:\Users\Admin\AppData\Local\Temp\68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe
"C:\Users\Admin\AppData\Local\Temp\68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {18C28CD8-810A-467C-A69E-6AF12285A1E2} S-1-5-21-999675638-2867687379-27515722-1000:ORXGKKZC\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1016

C:\ProgramData\rgsb\khkmflb.exe
C:\ProgramData\rgsb\khkmflb.exe start2
2⤵
- Executes dropped EXE
PID:1080

C:\ProgramData\rgsb\khkmflb.exe
C:\ProgramData\rgsb\khkmflb.exe start2
2⤵
- Executes dropped EXE
PID:1672

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\rgsb\khkmflb.exe
Filesize
16KB

MD5
d9033f945fd4ba1855ca5b24c3b81fa6

SHA1
b074cda2cf0db0a9fe46b85839cc8ca4f62c973f

SHA256
68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c

SHA512
af3e8e92fbd848164d93f2e1602fb1797cf2ef203a1e2fc969e790b4272d4b9a5f5d6931935818dd39ac77789b1614f19a7c1d33ea1cf4f9d267c4c7fe4d8bfa

Download Submit
C:\ProgramData\rgsb\khkmflb.exe
Filesize
16KB

MD5
d9033f945fd4ba1855ca5b24c3b81fa6

SHA1
b074cda2cf0db0a9fe46b85839cc8ca4f62c973f

SHA256
68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c

SHA512
af3e8e92fbd848164d93f2e1602fb1797cf2ef203a1e2fc969e790b4272d4b9a5f5d6931935818dd39ac77789b1614f19a7c1d33ea1cf4f9d267c4c7fe4d8bfa

Download Submit
C:\ProgramData\rgsb\khkmflb.exe
Filesize
16KB

MD5
d9033f945fd4ba1855ca5b24c3b81fa6

SHA1
b074cda2cf0db0a9fe46b85839cc8ca4f62c973f

SHA256
68d545d1cdef7b43c334287add73189c0498316ba361fd241bc6c89cf6667c8c

SHA512
af3e8e92fbd848164d93f2e1602fb1797cf2ef203a1e2fc969e790b4272d4b9a5f5d6931935818dd39ac77789b1614f19a7c1d33ea1cf4f9d267c4c7fe4d8bfa

Download Submit
memory/1080-56-0x0000000000000000-mapping.dmp

Download
memory/1672-59-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download