systembc | a62751453618735964f32c88d8dbf08d5e27d17b3109a2bb48a15f4ad661a372

Analysis

max time kernel
106s
max time network
134s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 17:15

Target

62714a724abbfc87f6d3e46a446d5fbf.exe
Size

32KB
MD5

62714a724abbfc87f6d3e46a446d5fbf
SHA1

eacf4b82e080c80d1bd121bcdfc35c52a28b4f0e
SHA256

a62751453618735964f32c88d8dbf08d5e27d17b3109a2bb48a15f4ad661a372
SHA512

b4f2d8339309b6c742eb4b9027b4486b1b2dafa28c0287bd8a28df9265df7cab2dd7542e263faccc20992e8d6b89f293bae7728efb16961697706976c028e1d1
SSDEEP

768:HqPzUdiJ8dayafVcCSWYVYnPrryFbnpoJo2qKc6ziFg:YLJ8dayaaupDobnpo2RGh

Score

10^/10

systembc trojan

Family

systembc

89.248.163.218:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

nxdok.exe

pid process

2044 nxdok.exe

pid	process
2044	nxdok.exe

Drops file in Windows directory 2 IoCs

Processes:

62714a724abbfc87f6d3e46a446d5fbf.exe

description	ioc	process
File created	C:\Windows\Tasks\nxdok.job	62714a724abbfc87f6d3e46a446d5fbf.exe
File opened for modification	C:\Windows\Tasks\nxdok.job	62714a724abbfc87f6d3e46a446d5fbf.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

62714a724abbfc87f6d3e46a446d5fbf.exe

pid process

896 62714a724abbfc87f6d3e46a446d5fbf.exe

pid	process
896	62714a724abbfc87f6d3e46a446d5fbf.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1168 wrote to memory of 2044	1168	taskeng.exe	nxdok.exe
PID 1168 wrote to memory of 2044	1168	taskeng.exe	nxdok.exe
PID 1168 wrote to memory of 2044	1168	taskeng.exe	nxdok.exe
PID 1168 wrote to memory of 2044	1168	taskeng.exe	nxdok.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {DAAB5A7F-41D5-40EE-8C99-ADFCB0002733} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1168

C:\ProgramData\wnakgbf\nxdok.exe
C:\ProgramData\wnakgbf\nxdok.exe start
2⤵
- Executes dropped EXE
PID:2044

C:\ProgramData\wnakgbf\nxdok.exe

Filesize
32KB

MD5
62714a724abbfc87f6d3e46a446d5fbf

SHA1
eacf4b82e080c80d1bd121bcdfc35c52a28b4f0e

SHA256
a62751453618735964f32c88d8dbf08d5e27d17b3109a2bb48a15f4ad661a372

SHA512
b4f2d8339309b6c742eb4b9027b4486b1b2dafa28c0287bd8a28df9265df7cab2dd7542e263faccc20992e8d6b89f293bae7728efb16961697706976c028e1d1

Download Submit
C:\ProgramData\wnakgbf\nxdok.exe

Filesize
32KB

MD5
62714a724abbfc87f6d3e46a446d5fbf

SHA1
eacf4b82e080c80d1bd121bcdfc35c52a28b4f0e

SHA256
a62751453618735964f32c88d8dbf08d5e27d17b3109a2bb48a15f4ad661a372

SHA512
b4f2d8339309b6c742eb4b9027b4486b1b2dafa28c0287bd8a28df9265df7cab2dd7542e263faccc20992e8d6b89f293bae7728efb16961697706976c028e1d1

Download Submit
memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000000000-mapping.dmp

Download