systembc | 1972e8136931f0b0fcc9ce917c9eeed13a5fd261c6453173d69bce28bfa1af54

Analysis

max time kernel
175s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 05:35

Target

socks.exe
Size

32KB
MD5

f6fc8a2495fb25c71b3e7a355628b19f
SHA1

dce93888658c9e20bce5bc0ba829230966ea25d8
SHA256

1972e8136931f0b0fcc9ce917c9eeed13a5fd261c6453173d69bce28bfa1af54
SHA512

88eb7b301423e22fb91b3de69f411f531b56aa45838b4ca72780a293c726a222921a31ebb1a5ecd6298e254209d0600cd4106819c514bbc0c74fd0b037e02946
SSDEEP

768:nEda2pzI7icyFK4JP7YSud6gfzsUwdgug5oJa2crh:nEdI7icyFvPVoGgX5o

Score

10^/10

systembc trojan

Family

systembc

95.161.131.6:4001

45.153.240.152:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

knrkqbn.exe

pid process

1176 knrkqbn.exe
Drops file in Windows directory 2 IoCs

Processes:

socks.exe

description ioc process

File created C:\Windows\Tasks\knrkqbn.job socks.exe
File opened for modification C:\Windows\Tasks\knrkqbn.job socks.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

socks.exe

pid process

1108 socks.exe

pid	process
1176	knrkqbn.exe

description	ioc	process
File created	C:\Windows\Tasks\knrkqbn.job	socks.exe
File opened for modification	C:\Windows\Tasks\knrkqbn.job	socks.exe

pid	process
1108	socks.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 584 wrote to memory of 1176	584	taskeng.exe	knrkqbn.exe
PID 584 wrote to memory of 1176	584	taskeng.exe	knrkqbn.exe
PID 584 wrote to memory of 1176	584	taskeng.exe	knrkqbn.exe
PID 584 wrote to memory of 1176	584	taskeng.exe	knrkqbn.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {C9C2F418-FE3A-46AC-9AF7-DC4B884DE1F8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\ProgramData\rejp\knrkqbn.exe
C:\ProgramData\rejp\knrkqbn.exe start
2⤵
- Executes dropped EXE
PID:1176

C:\ProgramData\rejp\knrkqbn.exe

Filesize
32KB

MD5
f6fc8a2495fb25c71b3e7a355628b19f

SHA1
dce93888658c9e20bce5bc0ba829230966ea25d8

SHA256
1972e8136931f0b0fcc9ce917c9eeed13a5fd261c6453173d69bce28bfa1af54

SHA512
88eb7b301423e22fb91b3de69f411f531b56aa45838b4ca72780a293c726a222921a31ebb1a5ecd6298e254209d0600cd4106819c514bbc0c74fd0b037e02946

Download Submit
C:\ProgramData\rejp\knrkqbn.exe

Filesize
32KB

MD5
f6fc8a2495fb25c71b3e7a355628b19f

SHA1
dce93888658c9e20bce5bc0ba829230966ea25d8

SHA256
1972e8136931f0b0fcc9ce917c9eeed13a5fd261c6453173d69bce28bfa1af54

SHA512
88eb7b301423e22fb91b3de69f411f531b56aa45838b4ca72780a293c726a222921a31ebb1a5ecd6298e254209d0600cd4106819c514bbc0c74fd0b037e02946

Download Submit
memory/1108-54-0x0000000076D71000-0x0000000076D73000-memory.dmp

Filesize
8KB

Download
memory/1176-56-0x0000000000000000-mapping.dmp

Download