systembc | 16f83c2411ad3201c35adc4e5075ee2c41a7035ce3c7e52475c7da7ae8484e92

Analysis

max time kernel
139s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 14:38

Target

e53dc87e496e8b9e798419bbbdc6ab953d7f1d08a54546cb3b2aabced1b88bed.exe
Size

257KB
MD5

78400d204259c4c300db3f0a0860f0db
SHA1

29ae354a21bcd73e4120d31a00761012516be92b
SHA256

16f83c2411ad3201c35adc4e5075ee2c41a7035ce3c7e52475c7da7ae8484e92
SHA512

eaa449229c779a13d8d8f57b628922354b9d8e8057c51041dd4dd6098866b43cf25111818bfdf41be325472f7a89f4999711de90087e22639fbf96129797bcfd
SSDEEP

3072:4ps9dTWkOWk4E5UoLTJ+DLBFYYYYYxxXc:Q6dTWFKE5Bm90

Score

10^/10

systembc trojan

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 2 IoCs

pid	Process
2768	hvsawkq.exe
1088	hvsawkq.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\corolina17.job	e53dc87e496e8b9e798419bbbdc6ab953d7f1d08a54546cb3b2aabced1b88bed.exe
File opened for modification	C:\Windows\Tasks\corolina17.job	e53dc87e496e8b9e798419bbbdc6ab953d7f1d08a54546cb3b2aabced1b88bed.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2300	e53dc87e496e8b9e798419bbbdc6ab953d7f1d08a54546cb3b2aabced1b88bed.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 2768	2780	taskeng.exe	29
PID 2780 wrote to memory of 2768	2780	taskeng.exe	29
PID 2780 wrote to memory of 2768	2780	taskeng.exe	29
PID 2780 wrote to memory of 2768	2780	taskeng.exe	29
PID 2780 wrote to memory of 1088	2780	taskeng.exe	32
PID 2780 wrote to memory of 1088	2780	taskeng.exe	32
PID 2780 wrote to memory of 1088	2780	taskeng.exe	32
PID 2780 wrote to memory of 1088	2780	taskeng.exe	32

C:\Windows\system32\taskeng.exe
taskeng.exe {C5646DB4-FDE1-4881-8E0F-89F4593B3CEB} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2780
- C:\ProgramData\krpr\hvsawkq.exe
  C:\ProgramData\krpr\hvsawkq.exe start2
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\ProgramData\krpr\hvsawkq.exe
  C:\ProgramData\krpr\hvsawkq.exe start2
  2⤵
  - Executes dropped EXE
  PID:1088

C:\ProgramData\krpr\hvsawkq.exe

Filesize
257KB

MD5
78400d204259c4c300db3f0a0860f0db

SHA1
29ae354a21bcd73e4120d31a00761012516be92b

SHA256
16f83c2411ad3201c35adc4e5075ee2c41a7035ce3c7e52475c7da7ae8484e92

SHA512
eaa449229c779a13d8d8f57b628922354b9d8e8057c51041dd4dd6098866b43cf25111818bfdf41be325472f7a89f4999711de90087e22639fbf96129797bcfd

Download Submit
memory/1088-23-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2300-0-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2300-1-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2768-8-0x00000000002B0000-0x00000000002B4000-memory.dmp

Filesize
16KB

Download
memory/2768-9-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download