systembc | 7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca | Triage

Analysis

max time kernel
31s
max time network
143s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
15-02-2023 20:26

Sharing

Report Analysis Logs

General

Target

svhost.dll
Size

179KB
MD5

8fcb6fb21b4326466378991e42ce9865
SHA1

dd27145d9e4ec4a921b664183a9cbebee568c234
SHA256

7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
SHA512

b27e95893c3651ac5f1de42924a2ccf01669ed50809ecbb1f0edd1211a754bfc1566b55cda58649162d2d55efbfe61ee470b84f225084e8d277d0c7c77622281
SSDEEP

3072:CisRnzAl7X/AZfRn6sbQ6rQ7oWYRq+bWxfMlOrFj2jA2yR4l3LCtrv7fuVfkkIko:C7zMr8Jn6qrQuINtydq5E7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

45.77.195.73:443

192.168.1.28:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

1 1356 rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe
PID 856 wrote to memory of 1356	856	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#1
2⤵
- Blocklisted process makes network request
PID:1356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-54-0x0000000000000000-mapping.dmp

Download
memory/1356-55-0x0000000075C11000-0x0000000075C13000-memory.dmp

Filesize
8KB

Download
memory/1356-56-0x00000000000C0000-0x00000000000C4000-memory.dmp

Filesize
16KB

Download
memory/1356-57-0x0000000000120000-0x0000000000125000-memory.dmp

Filesize
20KB

Download