systembc | 120fa0aa63598735bd316759edc1de341d089f391adf67b356039f1e706655e7

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
04/02/2024, 09:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ed5f474476b8ac49a1ba0ac9222feae.exe
Size

3.1MB
MD5

8ed5f474476b8ac49a1ba0ac9222feae
SHA1

19e127533f8b6ab97cad19c6e5e66c33d092360a
SHA256

120fa0aa63598735bd316759edc1de341d089f391adf67b356039f1e706655e7
SHA512

05fcf09eb1901bef898fb793485329ea6190f7dd9d94214848c83172471e509fb0b94345e1fbd4ba93c226601a08d46dff99d4fdb7f317a3a86f0eec3bf98900
SSDEEP

24576:hbQ9TxD/areLtr0CboOCxJJgK9MNjDS5BYS7EY7EomsVjB1CxY4W3TGmsDA2hTE4:ZwFa6xRMO/S5iS40B1GY4W3vsDPTEx2

Score

10^/10

systembc trojan

Malware Config

Extracted

Family

systembc

109.201.142.52:8080

192.53.123.202:8080

Signatures

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Tasks\wow64.job	8ed5f474476b8ac49a1ba0ac9222feae.exe
File created	C:\Windows\Tasks\wow64.job	8ed5f474476b8ac49a1ba0ac9222feae.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2040	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe
2720	8ed5f474476b8ac49a1ba0ac9222feae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 2720	1944	taskeng.exe	29
PID 1944 wrote to memory of 2720	1944	taskeng.exe	29
PID 1944 wrote to memory of 2720	1944	taskeng.exe	29
PID 1944 wrote to memory of 2720	1944	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\8ed5f474476b8ac49a1ba0ac9222feae.exe
"C:\Users\Admin\AppData\Local\Temp\8ed5f474476b8ac49a1ba0ac9222feae.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2040

C:\Windows\system32\taskeng.exe
taskeng.exe {6FF1824B-5383-42FE-A9F6-5AD015538766} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Users\Admin\AppData\Local\Temp\8ed5f474476b8ac49a1ba0ac9222feae.exe
  C:\Users\Admin\AppData\Local\Temp\8ed5f474476b8ac49a1ba0ac9222feae.exe start
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2040-0-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/2040-1-0x0000000000220000-0x000000000029B000-memory.dmp

Filesize
492KB

Download
memory/2040-2-0x0000000077C4F000-0x0000000077C50000-memory.dmp

Filesize
4KB

Download
memory/2040-4-0x0000000001F60000-0x00000000020E0000-memory.dmp

Filesize
1.5MB

Download
memory/2040-3-0x00000000002D0000-0x00000000002D7000-memory.dmp

Filesize
28KB

Download
memory/2040-12-0x0000000000220000-0x000000000029B000-memory.dmp

Filesize
492KB

Download
memory/2720-7-0x0000000000400000-0x000000000073C000-memory.dmp

Filesize
3.2MB

Download
memory/2720-8-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download
memory/2720-9-0x0000000000750000-0x0000000000757000-memory.dmp

Filesize
28KB

Download
memory/2720-10-0x0000000000D20000-0x0000000000EA0000-memory.dmp

Filesize
1.5MB

Download
memory/2720-16-0x00000000002E0000-0x000000000035B000-memory.dmp

Filesize
492KB

Download