systembc | 3564c81981f8f09caab954d67afc49d0cc9ecc309e07d4bcf06192908e01fb38

Analysis

max time kernel
73s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-12-2022 14:10

Target

b79f16dd30f7111b84ae7543bc7e1b24.exe
Size

32KB
MD5

b79f16dd30f7111b84ae7543bc7e1b24
SHA1

a459391f937c5dc535497c7076711c27535e51fd
SHA256

3564c81981f8f09caab954d67afc49d0cc9ecc309e07d4bcf06192908e01fb38
SHA512

7cf36570ca33d81185128427fab6a2687b4bac66896823f8704e90bc7bd09ff16039715abb3db167d4dc819efb17819b5d9f0d26e24e8ba3d7258474f9d72965
SSDEEP

768:HqPzUdiJ8dayafVcCSWYVYnPrryFbnpoJo2W1Kc6UFg:YLJ8dayaaupDobnpo2V1K

Score

10^/10

systembc trojan

Family

systembc

109.205.214.18:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

wgfehtn.exe

pid process

1696 wgfehtn.exe

pid	process
1696	wgfehtn.exe

Drops file in Windows directory 2 IoCs

Processes:

b79f16dd30f7111b84ae7543bc7e1b24.exe

description	ioc	process
File created	C:\Windows\Tasks\wgfehtn.job	b79f16dd30f7111b84ae7543bc7e1b24.exe
File opened for modification	C:\Windows\Tasks\wgfehtn.job	b79f16dd30f7111b84ae7543bc7e1b24.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b79f16dd30f7111b84ae7543bc7e1b24.exe

pid process

1224 b79f16dd30f7111b84ae7543bc7e1b24.exe

pid	process
1224	b79f16dd30f7111b84ae7543bc7e1b24.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 896 wrote to memory of 1696	896	taskeng.exe	wgfehtn.exe
PID 896 wrote to memory of 1696	896	taskeng.exe	wgfehtn.exe
PID 896 wrote to memory of 1696	896	taskeng.exe	wgfehtn.exe
PID 896 wrote to memory of 1696	896	taskeng.exe	wgfehtn.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {3F2572EE-86A8-4221-842A-B0E1B2BA77F5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:896

C:\ProgramData\npgwtlf\wgfehtn.exe
C:\ProgramData\npgwtlf\wgfehtn.exe start
2⤵
- Executes dropped EXE
PID:1696

C:\ProgramData\npgwtlf\wgfehtn.exe
Filesize
32KB

MD5
b79f16dd30f7111b84ae7543bc7e1b24

SHA1
a459391f937c5dc535497c7076711c27535e51fd

SHA256
3564c81981f8f09caab954d67afc49d0cc9ecc309e07d4bcf06192908e01fb38

SHA512
7cf36570ca33d81185128427fab6a2687b4bac66896823f8704e90bc7bd09ff16039715abb3db167d4dc819efb17819b5d9f0d26e24e8ba3d7258474f9d72965

Download Submit
C:\ProgramData\npgwtlf\wgfehtn.exe
Filesize
32KB

MD5
b79f16dd30f7111b84ae7543bc7e1b24

SHA1
a459391f937c5dc535497c7076711c27535e51fd

SHA256
3564c81981f8f09caab954d67afc49d0cc9ecc309e07d4bcf06192908e01fb38

SHA512
7cf36570ca33d81185128427fab6a2687b4bac66896823f8704e90bc7bd09ff16039715abb3db167d4dc819efb17819b5d9f0d26e24e8ba3d7258474f9d72965

Download Submit
memory/1224-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1696-56-0x0000000000000000-mapping.dmp

Download