systembc | 6278b1a4d8a19c7ac40ee309c100924427fb35028f3eadb96112c9b70c3a0d59

Analysis

max time kernel
181s
max time network
180s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
07-05-2023 05:15

Target

a20d99e025fb23ba51d38a975bc10de5.exe
Size

153KB
MD5

a20d99e025fb23ba51d38a975bc10de5
SHA1

6d58a7dc6f4e84ed6cf70fb154e6af3193ff4045
SHA256

6278b1a4d8a19c7ac40ee309c100924427fb35028f3eadb96112c9b70c3a0d59
SHA512

a99ea0bc3d947e5048d92f8e5bdf1745c5d428f2934e29cb2d4f7d3bea029a467e01f28fdc5f09390141b80ad80e016b5b9171fb3b4bf2bd0e0a84a6d9328198
SSDEEP

3072:lbUHG5euMB5Y7S8TmACM+nhICbBUw3r5x:0uqYe8qAbCTz

Score

10^/10

systembc trojan

Family

systembc

141.98.82.229:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

ksdioge.exe

pid process

1724 ksdioge.exe

pid	process
1724	ksdioge.exe

Drops file in Windows directory 2 IoCs

Processes:

a20d99e025fb23ba51d38a975bc10de5.exe

description	ioc	process
File created	C:\Windows\Tasks\ksdioge.job	a20d99e025fb23ba51d38a975bc10de5.exe
File opened for modification	C:\Windows\Tasks\ksdioge.job	a20d99e025fb23ba51d38a975bc10de5.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a20d99e025fb23ba51d38a975bc10de5.exe

pid process

1176 a20d99e025fb23ba51d38a975bc10de5.exe

pid	process
1176	a20d99e025fb23ba51d38a975bc10de5.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1924 wrote to memory of 1724	1924	taskeng.exe	ksdioge.exe
PID 1924 wrote to memory of 1724	1924	taskeng.exe	ksdioge.exe
PID 1924 wrote to memory of 1724	1924	taskeng.exe	ksdioge.exe
PID 1924 wrote to memory of 1724	1924	taskeng.exe	ksdioge.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {5CA8DAEE-2FBF-4BF6-BEEE-61E55CA09673} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\ProgramData\urhkg\ksdioge.exe
C:\ProgramData\urhkg\ksdioge.exe start
2⤵
- Executes dropped EXE
PID:1724

C:\ProgramData\urhkg\ksdioge.exe

Filesize
153KB

MD5
a20d99e025fb23ba51d38a975bc10de5

SHA1
6d58a7dc6f4e84ed6cf70fb154e6af3193ff4045

SHA256
6278b1a4d8a19c7ac40ee309c100924427fb35028f3eadb96112c9b70c3a0d59

SHA512
a99ea0bc3d947e5048d92f8e5bdf1745c5d428f2934e29cb2d4f7d3bea029a467e01f28fdc5f09390141b80ad80e016b5b9171fb3b4bf2bd0e0a84a6d9328198

Download Submit
C:\ProgramData\urhkg\ksdioge.exe

Filesize
153KB

MD5
a20d99e025fb23ba51d38a975bc10de5

SHA1
6d58a7dc6f4e84ed6cf70fb154e6af3193ff4045

SHA256
6278b1a4d8a19c7ac40ee309c100924427fb35028f3eadb96112c9b70c3a0d59

SHA512
a99ea0bc3d947e5048d92f8e5bdf1745c5d428f2934e29cb2d4f7d3bea029a467e01f28fdc5f09390141b80ad80e016b5b9171fb3b4bf2bd0e0a84a6d9328198

Download Submit
memory/1176-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1176-56-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1724-71-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download