systembc | e1c088749ae4df16e4e029ecbc02b57c1a3ad3a36a3c5f1dfb9fd30f163f39df | Triage

Analysis

max time kernel
147s
max time network
149s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-12-2022 14:05

Sharing

Report Analysis Logs

General

Target

svchost.exe
Size

228KB
MD5

5bf69e555fe1e636d6c02c470bea0b6f
SHA1

96e30ea4c29b8eac021a17cc5cd056e269d9bfb0
SHA256

e1c088749ae4df16e4e029ecbc02b57c1a3ad3a36a3c5f1dfb9fd30f163f39df
SHA512

488caaca4b6b99de782d16a08ae8319b0c1a232a18bc2894d5e0c017af0764e1ffe4a32eb409d9cfde62f1e33b01306eb45bf285c9eaa653ca6d61c2f3b5edbd
SSDEEP

6144:ZbwPB/7O/FD4m+6I1/8Ni0u2VYOHT2C7u13ayTg:ZSOHT2C7uJVT

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

64.44.141.137:4001

192.53.123.202:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\Tasks\wow64.job svchost.exe
File opened for modification C:\Windows\Tasks\wow64.job svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1504 svchost.exe
1148 svchost.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1176 wrote to memory of 1148	1176	taskeng.exe	svchost.exe
PID 1176 wrote to memory of 1148	1176	taskeng.exe	svchost.exe
PID 1176 wrote to memory of 1148	1176	taskeng.exe	svchost.exe
PID 1176 wrote to memory of 1148	1176	taskeng.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1504

C:\Windows\system32\taskeng.exe
taskeng.exe {FD2B322C-49C4-4765-883A-18C30F57B51A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe start
2⤵
- Suspicious use of SetWindowsHookEx
PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-61-0x0000000000000000-mapping.dmp

Download
memory/1148-65-0x00000000003E0000-0x00000000003E7000-memory.dmp

Filesize
28KB

Download
memory/1504-56-0x0000000075661000-0x0000000075663000-memory.dmp

Filesize
8KB

Download
memory/1504-57-0x0000000000440000-0x0000000000447000-memory.dmp

Filesize
28KB

Download