systembc | 922ceb1d012920ad840955075cde0d92829d179d67e7116ebb97b61214d1b537

Analysis

max time kernel
144s
max time network
150s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
07/10/2023, 05:39

Target

0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe
Size

1.0MB
MD5

17fc1332bb8885026657c75511954e07
SHA1

9ebbd2f605e5d470db176376928b47940afc1565
SHA256

0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557
SHA512

0c38b4af0630d9d25aadb653aa9923b751852084db41002c3c78f6aa52a9fe77483237161f7f335ed49679e38007807cf6733a015da4c30824c069910e0061c1
SSDEEP

24576:fsCTOsw3FBos9fcWKV7lI93TaSUk5wHocSRTIJCHXjqCrD:ftoK4vuy3Tz2IcuTmC3/

Score

10^/10

systembc trojan

Family

systembc

162.33.179.100:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\wow64.job	0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe
File opened for modification	C:\Windows\Tasks\wow64.job	0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1960	2212	taskeng.exe	29
PID 2212 wrote to memory of 1960	2212	taskeng.exe	29
PID 2212 wrote to memory of 1960	2212	taskeng.exe	29
PID 2212 wrote to memory of 1960	2212	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe
"C:\Users\Admin\AppData\Local\Temp\0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe"
1⤵
- Drops file in Windows directory
PID:2928

C:\Windows\system32\taskeng.exe
taskeng.exe {23DDA98D-456C-4778-A483-FD8C7D408C3F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe
  C:\Users\Admin\AppData\Local\Temp\0229b0ed2674e64d663aadcd2d289315b73b14b43b35101ff4fd69456b7c5557.exe start
  2⤵
  PID:1960

memory/1960-9-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-14-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1960-12-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1960-11-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/1960-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2928-3-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2928-6-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2928-5-0x00000000003A0000-0x00000000003A5000-memory.dmp

Filesize
20KB

Download
memory/2928-4-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download
memory/2928-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2928-2-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2928-13-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2928-1-0x0000000001EE0000-0x0000000001F6A000-memory.dmp

Filesize
552KB

Download
memory/2928-15-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download