systembc | fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
15-06-2023 23:58

Target

i.exe
Size

218KB
MD5

cdc67700f25eaed1417264c4bdec03d3
SHA1

56639e9414e6ee8394d940d62778475ddf071290
SHA256

fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100
SHA512

a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038
SSDEEP

3072:ErayULJ3h3C59R+rVZxzAskAGbhAzT69ohOP+L+h7b/MxuCwLgNHCDml:E2yUL1JC4fxUspGbhgT62hO2LC2HCa

Score

10^/10

systembc trojan

Family

systembc

109.205.214.18:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 1 IoCs

Processes:

aslav.exe

pid process

1516 aslav.exe
Drops file in Windows directory 2 IoCs

Processes:

i.exe

description ioc process

File created C:\Windows\Tasks\aslav.job i.exe
File opened for modification C:\Windows\Tasks\aslav.job i.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

i.exe

pid process

1108 i.exe

pid	process
1516	aslav.exe

description	ioc	process
File created	C:\Windows\Tasks\aslav.job	i.exe
File opened for modification	C:\Windows\Tasks\aslav.job	i.exe

pid	process
1108	i.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 920 wrote to memory of 1516	920	taskeng.exe	aslav.exe
PID 920 wrote to memory of 1516	920	taskeng.exe	aslav.exe
PID 920 wrote to memory of 1516	920	taskeng.exe	aslav.exe
PID 920 wrote to memory of 1516	920	taskeng.exe	aslav.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {0BF4E524-8AAC-474A-894A-67E4DF4944AC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\ProgramData\kesxch\aslav.exe
C:\ProgramData\kesxch\aslav.exe start
2⤵
- Executes dropped EXE
PID:1516

C:\ProgramData\kesxch\aslav.exe

Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\kesxch\aslav.exe

Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
memory/1108-55-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1108-56-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/1516-64-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download