systembc | 3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-01-2023 16:53

Target

3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe
Size

185KB
MD5

f89d628342ab6b02fb4e43b0959cffad
SHA1

ef346df6771087873a820f92c595d2ef42de4958
SHA256

3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35
SHA512

65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d
SSDEEP

3072:t3USMV1WhtLYjE4QW5QNSmkKkb5fn/4pOSPCizVgrR4xWFZw/ZS7rsG:rMWLYjE7kCOuzVgV4m

Score

10^/10

systembc trojan

Family

systembc

109.205.214.18:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

dmnwwli.exe

pid process

1020 dmnwwli.exe

pid	process
1020	dmnwwli.exe

Drops file in Windows directory 2 IoCs

Processes:

3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe

description	ioc	process
File created	C:\Windows\Tasks\dmnwwli.job	3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe
File opened for modification	C:\Windows\Tasks\dmnwwli.job	3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe

pid process

892 3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe

pid	process
892	3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1628 wrote to memory of 1020	1628	taskeng.exe	dmnwwli.exe
PID 1628 wrote to memory of 1020	1628	taskeng.exe	dmnwwli.exe
PID 1628 wrote to memory of 1020	1628	taskeng.exe	dmnwwli.exe
PID 1628 wrote to memory of 1020	1628	taskeng.exe	dmnwwli.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {D356971D-2817-47FD-8748-C04E80054887} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\ProgramData\ekuj\dmnwwli.exe
C:\ProgramData\ekuj\dmnwwli.exe start
2⤵
- Executes dropped EXE
PID:1020

C:\ProgramData\ekuj\dmnwwli.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
C:\ProgramData\ekuj\dmnwwli.exe
Filesize
185KB

MD5
f89d628342ab6b02fb4e43b0959cffad

SHA1
ef346df6771087873a820f92c595d2ef42de4958

SHA256
3552afca2214180166dc53afd3588fc9de44e7bf5cf034d2622634ec53ffbd35

SHA512
65b7f3e89743f4937fba80bc2f535a74578d6c72377e041ff3a6bb642672b576de54c6c92e2fe35f8cb59278474d19d391f5593644aef0353f2896a4a175946d

Download Submit
memory/892-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/892-55-0x00000000005BD000-0x00000000005CE000-memory.dmp

Filesize
68KB

Download
memory/892-56-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/892-57-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1020-59-0x0000000000000000-mapping.dmp

Download
memory/1020-62-0x000000000061D000-0x000000000062E000-memory.dmp

Filesize
68KB

Download
memory/1020-63-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1020-64-0x000000000061D000-0x000000000062E000-memory.dmp

Filesize
68KB

Download