systembc | 0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-08-2023 07:24

Target

0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
Size

178KB
MD5

8832f51c590d70cd12116f8f330cc31c
SHA1

f4fd64ddf8dbf0c079485b84e463849c158b2b29
SHA256

0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b
SHA512

7bbf94d5b232d7b79911f55efbf5fbb6260861914e0345525d930756169fe263ea0923772166d1199985bf1ad8a43bc9a372a4c9e1abfb9604cec28ee3f5f799
SSDEEP

3072:ljLeiNX7DF31RzcUPwpmAoNExCRSR3aFxc:l6eX7DFbPkIpPc

Score

10^/10

systembc trojan

Family

systembc

62.182.82.33:1488

usaf.army:1488

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

Processes:

0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe

description	ioc	process
File created	C:\Windows\Tasks\wow64.job	0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
File opened for modification	C:\Windows\Tasks\wow64.job	0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2560 wrote to memory of 2612	2560	taskeng.exe	0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
PID 2560 wrote to memory of 2612	2560	taskeng.exe	0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
PID 2560 wrote to memory of 2612	2560	taskeng.exe	0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
PID 2560 wrote to memory of 2612	2560	taskeng.exe	0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe

C:\Users\Admin\AppData\Local\Temp\0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
"C:\Users\Admin\AppData\Local\Temp\0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe"
1⤵
- Drops file in Windows directory
PID:2248

C:\Windows\system32\taskeng.exe
taskeng.exe {A54A3535-E9E2-480D-8549-A9956B947A58} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Users\Admin\AppData\Local\Temp\0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe
  C:\Users\Admin\AppData\Local\Temp\0afe06f881b9258506cfe831a2b489859c60a08747beba00461cd99c3b0b9f0b.exe start
  2⤵
  PID:2612

memory/2248-55-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2248-56-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2248-57-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2248-64-0x00000000005F0000-0x00000000006F0000-memory.dmp

Filesize
1024KB

Download
memory/2612-61-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/2612-62-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2612-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2612-67-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download