systembc | d8eea48101d16675eab4b0263d801425405565d80057839513e00d1717c6dc7a

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 19:22

Target

1716-56-0x0000000010000000-0x000000001013B000-memory.dll
Size

1.2MB
MD5

1b7567ad481edfdd98def6b2d0b4bdf9
SHA1

c05f17efae43c16bf5efd3e3c5e1f3548c572e98
SHA256

d8eea48101d16675eab4b0263d801425405565d80057839513e00d1717c6dc7a
SHA512

902620925513e4d9235250756e6a2bd1de06c50f1d70760222fc858ce3547c65894b9ab6c122c9cc8b6247438e69681f80526b8f5b91c087967cf1b254cf21e3
SSDEEP

24576:LZA5Md+xdHP0J6wfwnriXWYXbsdmTHdUHlRRrc5Pi7OQMCeMwVrGOUfp7O:L3SdY6OwriXWQsdmbdelRdkai4eMw5Gk

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1648 912 WerFault.exe rundll32.exe

pid	pid_target	process	target process
1648	912	WerFault.exe	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 912	1632	rundll32.exe	rundll32.exe
PID 912 wrote to memory of 1648	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1648	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1648	912	rundll32.exe	WerFault.exe
PID 912 wrote to memory of 1648	912	rundll32.exe	WerFault.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1716-56-0x0000000010000000-0x000000001013B000-memory.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1716-56-0x0000000010000000-0x000000001013B000-memory.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 912 -s 196
3⤵
- Program crash
PID:1648

memory/912-54-0x0000000000000000-mapping.dmp

Download
memory/912-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/912-57-0x0000000010000000-0x000000001013B000-memory.dmp

Filesize
1.2MB

Download
memory/1648-56-0x0000000000000000-mapping.dmp

Download