systembc | 6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30-03-2023 17:20

Target

44c9814d3dba7526300bfee720853ea2.exe
Size

145KB
MD5

44c9814d3dba7526300bfee720853ea2
SHA1

ec239ce6d39a144a7a78aa623298e756548f1634
SHA256

6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431
SHA512

ba2991eebcee48d92a8fcc3dd783791d8c3dd523aa98b8bfe3909587692c848874d4d703a9277428465c6d37a66333dad71bc6efa949b824932fa4e1606e36bd
SSDEEP

3072:ETCKOJL9+xhMcgMUzcuNJ6G7V5bnqouw1NckiTdI4O:EO5L9AWzb6mqoT8v

Score

10^/10

systembc trojan

Family

systembc

45.182.189.231:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

jtoadlv.exe

pid process

1440 jtoadlv.exe

pid	process
1440	jtoadlv.exe

Drops file in Windows directory 2 IoCs

Processes:

44c9814d3dba7526300bfee720853ea2.exe

description	ioc	process
File created	C:\Windows\Tasks\jtoadlv.job	44c9814d3dba7526300bfee720853ea2.exe
File opened for modification	C:\Windows\Tasks\jtoadlv.job	44c9814d3dba7526300bfee720853ea2.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

44c9814d3dba7526300bfee720853ea2.exe

pid process

1388 44c9814d3dba7526300bfee720853ea2.exe

pid	process
1388	44c9814d3dba7526300bfee720853ea2.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 928 wrote to memory of 1440	928	taskeng.exe	jtoadlv.exe
PID 928 wrote to memory of 1440	928	taskeng.exe	jtoadlv.exe
PID 928 wrote to memory of 1440	928	taskeng.exe	jtoadlv.exe
PID 928 wrote to memory of 1440	928	taskeng.exe	jtoadlv.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {33DFDED4-335C-4980-A3F6-20FA901B4267} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:928

C:\ProgramData\tcrp\jtoadlv.exe
C:\ProgramData\tcrp\jtoadlv.exe start
2⤵
- Executes dropped EXE
PID:1440

C:\ProgramData\tcrp\jtoadlv.exe
Filesize
145KB

MD5
44c9814d3dba7526300bfee720853ea2

SHA1
ec239ce6d39a144a7a78aa623298e756548f1634

SHA256
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431

SHA512
ba2991eebcee48d92a8fcc3dd783791d8c3dd523aa98b8bfe3909587692c848874d4d703a9277428465c6d37a66333dad71bc6efa949b824932fa4e1606e36bd

Download Submit
C:\ProgramData\tcrp\jtoadlv.exe
Filesize
145KB

MD5
44c9814d3dba7526300bfee720853ea2

SHA1
ec239ce6d39a144a7a78aa623298e756548f1634

SHA256
6fe218dea5435f56596a29a9d68614b9d4eb7615bb216897cced2d1aec586431

SHA512
ba2991eebcee48d92a8fcc3dd783791d8c3dd523aa98b8bfe3909587692c848874d4d703a9277428465c6d37a66333dad71bc6efa949b824932fa4e1606e36bd

Download Submit
memory/1388-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1388-56-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1440-70-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download