systembc | 65f3162d46b247a9b79ace4c19e6ad81c5aa00a2229a6557f377f9ced697df01

Analysis

max time kernel
300s
max time network
304s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
10-05-2023 15:16

Target

stop.exe
Size

130KB
MD5

5c725d083f3929b5c523f6f068560669
SHA1

4b9f51c3cfa859456c4cce74442a4acd70cd7b55
SHA256

65f3162d46b247a9b79ace4c19e6ad81c5aa00a2229a6557f377f9ced697df01
SHA512

014b8a79c36fb1075a12edfad71e939d03822b7c3c9a5fb3a46cb39bfc92322e053997d39150b6503e3bb6c1817cb661493d8721e8011e5244867afbb1dac864
SSDEEP

1536:3zJc6F17L992+zfTmnsO4W1QpaonFGIkuwe31Q5LeI5xry0pvK/MlOWJryGOvaZ:CO7v2wfpHMmF31Q5nvrFRK/QXrjAw

Score

10^/10

systembc trojan

Family

systembc

69.49.231.218:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Drops file in Windows directory 2 IoCs

Processes:

stop.exe

description ioc process

File created C:\Windows\Tasks\wow64.job stop.exe
File opened for modification C:\Windows\Tasks\wow64.job stop.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	stop.exe
File opened for modification	C:\Windows\Tasks\wow64.job	stop.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 1396 wrote to memory of 1328	1396	taskeng.exe	stop.exe
PID 1396 wrote to memory of 1328	1396	taskeng.exe	stop.exe
PID 1396 wrote to memory of 1328	1396	taskeng.exe	stop.exe
PID 1396 wrote to memory of 1328	1396	taskeng.exe	stop.exe

C:\Users\Admin\AppData\Local\Temp\stop.exe
"C:\Users\Admin\AppData\Local\Temp\stop.exe"
1⤵
- Drops file in Windows directory
PID:1092

C:\Windows\system32\taskeng.exe
taskeng.exe {3C4476CB-EE18-423B-B74F-27D936C8B2B6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\stop.exe
C:\Users\Admin\AppData\Local\Temp\stop.exe start
2⤵
PID:1328

memory/1092-55-0x0000000000220000-0x0000000000226000-memory.dmp

Filesize
24KB

Download
memory/1092-56-0x0000000000230000-0x0000000000235000-memory.dmp

Filesize
20KB

Download
memory/1092-58-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1328-65-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download