systembc | 1bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36

Analysis

max time kernel
168s
max time network
215s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09-02-2023 08:22

Target

6f21ef2acc3d9b4bb18800d61c61b2f4.exe
Size

827KB
MD5

6f21ef2acc3d9b4bb18800d61c61b2f4
SHA1

d176b38b567ce050c82ecb8b0e4e8cc44a7ea0e4
SHA256

1bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36
SHA512

45051de1630858e982b0a5050700b8dde734fa5e04d95720abaa137433d6a8239a15187638d88c0697d73641136248a9cace5f001eba4f744899da619ea90033
SSDEEP

1536:rvG6I+Lt6Pzw6u75dXWeBvfkkcCxauMjx2CaVcG15I4bzWXtmEQ:rvG6I+LUc6ul11cSkj8Rh15I417

Score

10^/10

systembc trojan

Family

systembc

inredrs5er.xyz:4116

s5s4txirgtrtin.com:4116

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

evxl.exe

pid process

268 evxl.exe

pid	process
268	evxl.exe

Drops file in Windows directory 2 IoCs

Processes:

6f21ef2acc3d9b4bb18800d61c61b2f4.exe

description	ioc	process
File created	C:\Windows\Tasks\evxl.job	6f21ef2acc3d9b4bb18800d61c61b2f4.exe
File opened for modification	C:\Windows\Tasks\evxl.job	6f21ef2acc3d9b4bb18800d61c61b2f4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6f21ef2acc3d9b4bb18800d61c61b2f4.exe

pid process

2016 6f21ef2acc3d9b4bb18800d61c61b2f4.exe

pid	process
2016	6f21ef2acc3d9b4bb18800d61c61b2f4.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 472 wrote to memory of 268	472	taskeng.exe	evxl.exe
PID 472 wrote to memory of 268	472	taskeng.exe	evxl.exe
PID 472 wrote to memory of 268	472	taskeng.exe	evxl.exe
PID 472 wrote to memory of 268	472	taskeng.exe	evxl.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {0C037BB6-C8C5-4D8C-884C-53DF10441898} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:472

C:\ProgramData\hciac\evxl.exe
C:\ProgramData\hciac\evxl.exe start2
2⤵
- Executes dropped EXE
PID:268

C:\ProgramData\hciac\evxl.exe
Filesize
827KB

MD5
6f21ef2acc3d9b4bb18800d61c61b2f4

SHA1
d176b38b567ce050c82ecb8b0e4e8cc44a7ea0e4

SHA256
1bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36

SHA512
45051de1630858e982b0a5050700b8dde734fa5e04d95720abaa137433d6a8239a15187638d88c0697d73641136248a9cace5f001eba4f744899da619ea90033

Download Submit
C:\ProgramData\hciac\evxl.exe
Filesize
827KB

MD5
6f21ef2acc3d9b4bb18800d61c61b2f4

SHA1
d176b38b567ce050c82ecb8b0e4e8cc44a7ea0e4

SHA256
1bd1c5a709b98d3b13c3cb3572c1c409334807a05257555e8c11f7ddc0d17e36

SHA512
45051de1630858e982b0a5050700b8dde734fa5e04d95720abaa137433d6a8239a15187638d88c0697d73641136248a9cace5f001eba4f744899da619ea90033

Download Submit
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/268-62-0x0000000000380000-0x0000000000396000-memory.dmp

Filesize
88KB

Download
memory/2016-54-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download
memory/2016-55-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download
memory/2016-56-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2016-57-0x00000000002C0000-0x00000000002D6000-memory.dmp

Filesize
88KB

Download