systembc | 5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

Analysis

max time kernel
73s
max time network
151s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
18-11-2022 06:25

Target

ede4e0e4f4547b54a24a170161ae4542.exe
Size

163KB
MD5

ede4e0e4f4547b54a24a170161ae4542
SHA1

7b15b83ebd70c52302e0dea0dea0404026298713
SHA256

5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32
SHA512

d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4
SSDEEP

3072:yK+SWyNc5/9jt5u6hEzsDa6rGYzIhEwJbp9lZdfrD:/lG/Q6hWxwGkjwJbjR

Score

10^/10

systembc trojan

Family

systembc

89.248.165.79:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

gstlvn.exe

pid process

2032 gstlvn.exe

pid	process
2032	gstlvn.exe

Drops file in Windows directory 2 IoCs

Processes:

ede4e0e4f4547b54a24a170161ae4542.exe

description	ioc	process
File created	C:\Windows\Tasks\gstlvn.job	ede4e0e4f4547b54a24a170161ae4542.exe
File opened for modification	C:\Windows\Tasks\gstlvn.job	ede4e0e4f4547b54a24a170161ae4542.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ede4e0e4f4547b54a24a170161ae4542.exe

pid process

1380 ede4e0e4f4547b54a24a170161ae4542.exe

pid	process
1380	ede4e0e4f4547b54a24a170161ae4542.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1324 wrote to memory of 2032	1324	taskeng.exe	gstlvn.exe
PID 1324 wrote to memory of 2032	1324	taskeng.exe	gstlvn.exe
PID 1324 wrote to memory of 2032	1324	taskeng.exe	gstlvn.exe
PID 1324 wrote to memory of 2032	1324	taskeng.exe	gstlvn.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {0F9E9A86-C50D-428C-847C-B174D23EC76A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1324

C:\ProgramData\lose\gstlvn.exe
C:\ProgramData\lose\gstlvn.exe start
2⤵
- Executes dropped EXE
PID:2032

C:\ProgramData\lose\gstlvn.exe

Filesize
163KB

MD5
ede4e0e4f4547b54a24a170161ae4542

SHA1
7b15b83ebd70c52302e0dea0dea0404026298713

SHA256
5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

SHA512
d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

Download Submit
C:\ProgramData\lose\gstlvn.exe

Filesize
163KB

MD5
ede4e0e4f4547b54a24a170161ae4542

SHA1
7b15b83ebd70c52302e0dea0dea0404026298713

SHA256
5411181f4261c8a1b21450ea7376df3d60003b19ad6ad6c6e1fbee2e4b6b8e32

SHA512
d602b165419d1c52e612027208e14a6dde2debfe0efc77c10041e9b02f95ddfe0996d1a6b6d3ad212e00a0f51cfe86cc767f38c5610d9f279b0191d169ddd0f4

Download Submit
memory/1380-54-0x0000000075E81000-0x0000000075E83000-memory.dmp

Filesize
8KB

Download
memory/1380-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/1380-55-0x000000000069B000-0x00000000006AC000-memory.dmp

Filesize
68KB

Download
memory/1380-57-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1380-64-0x000000000069B000-0x00000000006AC000-memory.dmp

Filesize
68KB

Download
memory/2032-59-0x0000000000000000-mapping.dmp

Download
memory/2032-62-0x0000000000A0B000-0x0000000000A1B000-memory.dmp

Filesize
64KB

Download
memory/2032-63-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download