systembc | 7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca | Triage

Analysis

max time kernel
174s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
15-02-2023 20:26

Sharing

Report Analysis Logs

General

Target

svhost.dll
Size

179KB
MD5

8fcb6fb21b4326466378991e42ce9865
SHA1

dd27145d9e4ec4a921b664183a9cbebee568c234
SHA256

7dea671be77a2ca5772b86cf8831b02bff0567bce6a3ae023825aa40354f8aca
SHA512

b27e95893c3651ac5f1de42924a2ccf01669ed50809ecbb1f0edd1211a754bfc1566b55cda58649162d2d55efbfe61ee470b84f225084e8d277d0c7c77622281
SSDEEP

3072:CisRnzAl7X/AZfRn6sbQ6rQ7oWYRq+bWxfMlOrFj2jA2yR4l3LCtrv7fuVfkkIko:C7zMr8Jn6qrQuINtydq5E7

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

C2

45.77.195.73:443

192.168.1.28:443

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5028 1700 WerFault.exe rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 1960 wrote to memory of 1700	1960	rundll32.exe	rundll32.exe
PID 1960 wrote to memory of 1700	1960	rundll32.exe	rundll32.exe
PID 1960 wrote to memory of 1700	1960	rundll32.exe	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\svhost.dll,#1
2⤵
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 628
3⤵
- Program crash
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1700 -ip 1700
1⤵
PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1700-132-0x0000000000000000-mapping.dmp

Download
memory/1700-133-0x0000000002EC0000-0x0000000002EC4000-memory.dmp

Filesize
16KB

Download
memory/1700-134-0x0000000002EE0000-0x0000000002EE5000-memory.dmp

Filesize
20KB

Download