systembc | 96b83738ed6bae81be1d25d7619f7980bcd3d7c338f3d87b69d704a580c82fe9

Analysis

max time kernel
72s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 17:15

Target

697ab7ce385d753b8877909134769206.exe
Size

32KB
MD5

697ab7ce385d753b8877909134769206
SHA1

830040b9a12eb4937996c80cd72f0c421e218028
SHA256

96b83738ed6bae81be1d25d7619f7980bcd3d7c338f3d87b69d704a580c82fe9
SHA512

56646ce31b3939302157c18c6cfa59eef2d3bc404f06d0b56241b79ef38771177e3bbf95f986a3d27a52a654b103f1b122f1a304c17bf07ec59364a8cfdc4a6d
SSDEEP

768:HqPzUdiJ8dayafVcCSWYVYnPrryFbnpoJo25Kc6z5Fg:YLJ8dayaaupDobnpo22Gc

Score

10^/10

systembc trojan

Family

systembc

89.248.163.218:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ckogkoq.exe

pid process

1216 ckogkoq.exe

pid	process
1216	ckogkoq.exe

Drops file in Windows directory 2 IoCs

Processes:

697ab7ce385d753b8877909134769206.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\ckogkoq.job	697ab7ce385d753b8877909134769206.exe
File created	C:\Windows\Tasks\ckogkoq.job	697ab7ce385d753b8877909134769206.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

697ab7ce385d753b8877909134769206.exe

pid process

1376 697ab7ce385d753b8877909134769206.exe

pid	process
1376	697ab7ce385d753b8877909134769206.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1952 wrote to memory of 1216	1952	taskeng.exe	ckogkoq.exe
PID 1952 wrote to memory of 1216	1952	taskeng.exe	ckogkoq.exe
PID 1952 wrote to memory of 1216	1952	taskeng.exe	ckogkoq.exe
PID 1952 wrote to memory of 1216	1952	taskeng.exe	ckogkoq.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {D10B0B53-EB33-4DC7-96DE-F8D7E4BA9C21} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\ProgramData\ltevnjb\ckogkoq.exe
C:\ProgramData\ltevnjb\ckogkoq.exe start
2⤵
- Executes dropped EXE
PID:1216

C:\ProgramData\ltevnjb\ckogkoq.exe

Filesize
32KB

MD5
697ab7ce385d753b8877909134769206

SHA1
830040b9a12eb4937996c80cd72f0c421e218028

SHA256
96b83738ed6bae81be1d25d7619f7980bcd3d7c338f3d87b69d704a580c82fe9

SHA512
56646ce31b3939302157c18c6cfa59eef2d3bc404f06d0b56241b79ef38771177e3bbf95f986a3d27a52a654b103f1b122f1a304c17bf07ec59364a8cfdc4a6d

Download Submit
C:\ProgramData\ltevnjb\ckogkoq.exe

Filesize
32KB

MD5
697ab7ce385d753b8877909134769206

SHA1
830040b9a12eb4937996c80cd72f0c421e218028

SHA256
96b83738ed6bae81be1d25d7619f7980bcd3d7c338f3d87b69d704a580c82fe9

SHA512
56646ce31b3939302157c18c6cfa59eef2d3bc404f06d0b56241b79ef38771177e3bbf95f986a3d27a52a654b103f1b122f1a304c17bf07ec59364a8cfdc4a6d

Download Submit
memory/1216-56-0x0000000000000000-mapping.dmp

Download
memory/1376-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download