systembc | 52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

Analysis

max time kernel
150s
max time network
164s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
12-02-2023 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca810ef2745de0c5636e539a80fc3467.exe
Size

240KB
MD5

ca810ef2745de0c5636e539a80fc3467
SHA1

28d303ec336b54aa0ed4796e93481f788428f4b3
SHA256

52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436
SHA512

58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de
SSDEEP

3072:cVvnL5hvxGKtzu5vP5XNfO3uvIjpgxGvQjohdBcf0EmoZgRbR8pgX:aLNGKtUdG3uv8pgxmQjoyftccpgX

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

tohnoj.exe

pid process

1620 tohnoj.exe

pid	process
1620	tohnoj.exe

Drops file in Windows directory 2 IoCs

Processes:

ca810ef2745de0c5636e539a80fc3467.exe

description	ioc	process
File opened for modification	C:\Windows\Tasks\tohnoj.job	ca810ef2745de0c5636e539a80fc3467.exe
File created	C:\Windows\Tasks\tohnoj.job	ca810ef2745de0c5636e539a80fc3467.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ca810ef2745de0c5636e539a80fc3467.exe

pid process

1232 ca810ef2745de0c5636e539a80fc3467.exe

pid	process
1232	ca810ef2745de0c5636e539a80fc3467.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1576 wrote to memory of 1620	1576	taskeng.exe	tohnoj.exe
PID 1576 wrote to memory of 1620	1576	taskeng.exe	tohnoj.exe
PID 1576 wrote to memory of 1620	1576	taskeng.exe	tohnoj.exe
PID 1576 wrote to memory of 1620	1576	taskeng.exe	tohnoj.exe

C:\Users\Admin\AppData\Local\Temp\ca810ef2745de0c5636e539a80fc3467.exe
"C:\Users\Admin\AppData\Local\Temp\ca810ef2745de0c5636e539a80fc3467.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1232

C:\Windows\system32\taskeng.exe
taskeng.exe {15080C1B-E824-4AFB-ABDB-46633D7546BB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\ProgramData\mnalo\tohnoj.exe
C:\ProgramData\mnalo\tohnoj.exe start
2⤵
- Executes dropped EXE
PID:1620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mnalo\tohnoj.exe
Filesize
240KB

MD5
ca810ef2745de0c5636e539a80fc3467

SHA1
28d303ec336b54aa0ed4796e93481f788428f4b3

SHA256
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

SHA512
58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de

Download Submit
C:\ProgramData\mnalo\tohnoj.exe
Filesize
240KB

MD5
ca810ef2745de0c5636e539a80fc3467

SHA1
28d303ec336b54aa0ed4796e93481f788428f4b3

SHA256
52d1b27dddcf8fc24ea4258f108fc186feeaa95d9b882341c7a49a5d8b819436

SHA512
58e788b25302a3c3f29dd95fab61c74ef3971d3ea654c66ca3446a878f29e129a286cf7170bde023435b9328f98224774089ff08005d957ae6245d02ab9c92de

Download Submit
memory/1232-56-0x0000000000648000-0x0000000000659000-memory.dmp

Filesize
68KB

Download
memory/1232-54-0x0000000000648000-0x0000000000659000-memory.dmp

Filesize
68KB

Download
memory/1232-58-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1232-57-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1232-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1232-66-0x0000000000648000-0x0000000000659000-memory.dmp

Filesize
68KB

Download
memory/1232-68-0x0000000000648000-0x0000000000659000-memory.dmp

Filesize
68KB

Download
memory/1620-60-0x0000000000000000-mapping.dmp

Download
memory/1620-62-0x0000000000638000-0x0000000000649000-memory.dmp

Filesize
68KB

Download
memory/1620-64-0x0000000000638000-0x0000000000649000-memory.dmp

Filesize
68KB

Download
memory/1620-65-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1620-67-0x0000000000638000-0x0000000000649000-memory.dmp

Filesize
68KB

Download