systembc | 304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3

Analysis

max time kernel
157s
max time network
185s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
24-11-2022 20:06

Target

07c48efec256157d37cfad4f429050f6.exe
Size

163KB
MD5

07c48efec256157d37cfad4f429050f6
SHA1

95ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e
SHA256

304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3
SHA512

a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac
SSDEEP

3072:VbeMh5pve3qP87Lp56bkqe5WfSCQ5I7HWYLS4dt1f3RaNewDDp:V35pm3w87MkqeISCgIjBLS4v1paLDp

Score

10^/10

systembc trojan

Family

systembc

89.248.163.218:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

wvwrock.exe

pid process

468 wvwrock.exe

pid	process
468	wvwrock.exe

Drops file in Windows directory 2 IoCs

Processes:

07c48efec256157d37cfad4f429050f6.exe

description	ioc	process
File created	C:\Windows\Tasks\wvwrock.job	07c48efec256157d37cfad4f429050f6.exe
File opened for modification	C:\Windows\Tasks\wvwrock.job	07c48efec256157d37cfad4f429050f6.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

07c48efec256157d37cfad4f429050f6.exe

pid process

1716 07c48efec256157d37cfad4f429050f6.exe

pid	process
1716	07c48efec256157d37cfad4f429050f6.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 660 wrote to memory of 468	660	taskeng.exe	wvwrock.exe
PID 660 wrote to memory of 468	660	taskeng.exe	wvwrock.exe
PID 660 wrote to memory of 468	660	taskeng.exe	wvwrock.exe
PID 660 wrote to memory of 468	660	taskeng.exe	wvwrock.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {167B7BA6-06B9-477A-95A9-2F3846B2D114} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\ProgramData\hprlrxf\wvwrock.exe
C:\ProgramData\hprlrxf\wvwrock.exe start
2⤵
- Executes dropped EXE
PID:468

C:\ProgramData\hprlrxf\wvwrock.exe
Filesize
163KB

MD5
07c48efec256157d37cfad4f429050f6

SHA1
95ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e

SHA256
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3

SHA512
a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac

Download Submit
C:\ProgramData\hprlrxf\wvwrock.exe
Filesize
163KB

MD5
07c48efec256157d37cfad4f429050f6

SHA1
95ee9560e06a1b7f6ca2e88c3a86987d3fcc5b1e

SHA256
304d2fc82e2398804364c5b2da3fe43ed9a3f5581883134f4b2ac68ec76326d3

SHA512
a47fc8d88e0cf03382db2e1a5d194834fa7e6add376402fbac4b5ca46bc6de06e4ff8ee1a605e209a0cc3a16d3b498bfa2fb2d2b00c8b1cd7d8a6b8d16d816ac

Download Submit
memory/468-60-0x0000000000000000-mapping.dmp

Download
memory/468-63-0x000000000062B000-0x000000000063B000-memory.dmp

Filesize
64KB

Download
memory/468-64-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1716-54-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1716-56-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1716-55-0x000000000063B000-0x000000000064C000-memory.dmp

Filesize
68KB

Download
memory/1716-57-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1716-58-0x000000000063B000-0x000000000064C000-memory.dmp

Filesize
68KB

Download