systembc | e1c088749ae4df16e4e029ecbc02b57c1a3ad3a36a3c5f1dfb9fd30f163f39df | Triage

Analysis

max time kernel
141s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2022 14:05

Sharing

Report Analysis Logs

General

Target

svchost.exe
Size

228KB
MD5

5bf69e555fe1e636d6c02c470bea0b6f
SHA1

96e30ea4c29b8eac021a17cc5cd056e269d9bfb0
SHA256

e1c088749ae4df16e4e029ecbc02b57c1a3ad3a36a3c5f1dfb9fd30f163f39df
SHA512

488caaca4b6b99de782d16a08ae8319b0c1a232a18bc2894d5e0c017af0764e1ffe4a32eb409d9cfde62f1e33b01306eb45bf285c9eaa653ca6d61c2f3b5edbd
SSDEEP

6144:ZbwPB/7O/FD4m+6I1/8Ni0u2VYOHT2C7u13ayTg:ZSOHT2C7uJVT

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

64.44.141.137:4001

192.53.123.202:4001

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description ioc process

File created C:\Windows\Tasks\wow64.job svchost.exe
File opened for modification C:\Windows\Tasks\wow64.job svchost.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

4492 svchost.exe
4888 svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4492

C:\Users\Admin\AppData\Local\Temp\svchost.exe
C:\Users\Admin\AppData\Local\Temp\svchost.exe start
1⤵
- Suspicious use of SetWindowsHookEx
PID:4888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4492-134-0x0000000002F80000-0x0000000002F87000-memory.dmp

Filesize
28KB

Download
memory/4888-140-0x00000000011A0000-0x00000000011A7000-memory.dmp

Filesize
28KB

Download