systembc | 123605f3e22a46522073d25da4f58b5fbfc8cef2417dd0a95d00d85db096ee38

Analysis

max time kernel
73s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-12-2022 09:05

Target

bddb4b9fbd34721a02da973e2faa29ef.exe
Size

185KB
MD5

bddb4b9fbd34721a02da973e2faa29ef
SHA1

2d30e28283d2e778b67bcf6599b487ae2057dd62
SHA256

123605f3e22a46522073d25da4f58b5fbfc8cef2417dd0a95d00d85db096ee38
SHA512

71918beccb1ba405b11e045e78e1f6d47d8f76fe870b8d88a2584bd95a00d4ba86c44b5ca0097ad19b0ee8cb31fc3137f6cc4352f778fb64ee8dc04247a674f7
SSDEEP

3072:RFEnYMaQ8SdE5c506+Tdp6nJMHTMW0c2vfzW3dEDAbEaRZeWGC3:e8sEyis8TMFS3dZEaRwWt

Score

10^/10

systembc trojan

Family

systembc

146.70.86.61:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

newq.exe

pid process

1480 newq.exe

pid	process
1480	newq.exe

Drops file in Windows directory 2 IoCs

Processes:

bddb4b9fbd34721a02da973e2faa29ef.exe

description	ioc	process
File created	C:\Windows\Tasks\newq.job	bddb4b9fbd34721a02da973e2faa29ef.exe
File opened for modification	C:\Windows\Tasks\newq.job	bddb4b9fbd34721a02da973e2faa29ef.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bddb4b9fbd34721a02da973e2faa29ef.exe

pid process

896 bddb4b9fbd34721a02da973e2faa29ef.exe

pid	process
896	bddb4b9fbd34721a02da973e2faa29ef.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 904 wrote to memory of 1480	904	taskeng.exe	newq.exe
PID 904 wrote to memory of 1480	904	taskeng.exe	newq.exe
PID 904 wrote to memory of 1480	904	taskeng.exe	newq.exe
PID 904 wrote to memory of 1480	904	taskeng.exe	newq.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {F323EBFA-C0E0-462C-8B6D-FCA30C680DEB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\ProgramData\dqbdic\newq.exe
C:\ProgramData\dqbdic\newq.exe start
2⤵
- Executes dropped EXE
PID:1480

C:\ProgramData\dqbdic\newq.exe
Filesize
185KB

MD5
bddb4b9fbd34721a02da973e2faa29ef

SHA1
2d30e28283d2e778b67bcf6599b487ae2057dd62

SHA256
123605f3e22a46522073d25da4f58b5fbfc8cef2417dd0a95d00d85db096ee38

SHA512
71918beccb1ba405b11e045e78e1f6d47d8f76fe870b8d88a2584bd95a00d4ba86c44b5ca0097ad19b0ee8cb31fc3137f6cc4352f778fb64ee8dc04247a674f7

Download Submit
C:\ProgramData\dqbdic\newq.exe
Filesize
185KB

MD5
bddb4b9fbd34721a02da973e2faa29ef

SHA1
2d30e28283d2e778b67bcf6599b487ae2057dd62

SHA256
123605f3e22a46522073d25da4f58b5fbfc8cef2417dd0a95d00d85db096ee38

SHA512
71918beccb1ba405b11e045e78e1f6d47d8f76fe870b8d88a2584bd95a00d4ba86c44b5ca0097ad19b0ee8cb31fc3137f6cc4352f778fb64ee8dc04247a674f7

Download Submit
memory/896-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/896-55-0x000000000028B000-0x000000000029C000-memory.dmp

Filesize
68KB

Download
memory/896-56-0x00000000001B0000-0x00000000001B9000-memory.dmp

Filesize
36KB

Download
memory/896-57-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/896-64-0x000000000028B000-0x000000000029C000-memory.dmp

Filesize
68KB

Download
memory/1480-59-0x0000000000000000-mapping.dmp

Download
memory/1480-62-0x000000000054B000-0x000000000055B000-memory.dmp

Filesize
64KB

Download
memory/1480-63-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download