systembc | cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

Analysis

max time kernel
129s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 15:28

Target

0x0006000000015679-49.exe
Size

16KB
MD5

4f01c3d7439dde153ff0110a26e2a71c
SHA1

40d7203ad4e1fd40e13a56e6f747ee480740873c
SHA256

cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28
SHA512

513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e
SSDEEP

384:rC+AHNZw/WnlrobdglGbLMoy+yG+yir1dV:r0gklrydgQP1yO67V

Score

10^/10

systembc trojan

Family

systembc

cobusabobus.cam:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 2 IoCs

pid	Process
2944	npcjung.exe
1716	npcjung.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\npcjung.job	0x0006000000015679-49.exe
File opened for modification	C:\Windows\Tasks\npcjung.job	0x0006000000015679-49.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1632	0x0006000000015679-49.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2944	1720	taskeng.exe	29
PID 1720 wrote to memory of 2944	1720	taskeng.exe	29
PID 1720 wrote to memory of 2944	1720	taskeng.exe	29
PID 1720 wrote to memory of 2944	1720	taskeng.exe	29
PID 1720 wrote to memory of 1716	1720	taskeng.exe	32
PID 1720 wrote to memory of 1716	1720	taskeng.exe	32
PID 1720 wrote to memory of 1716	1720	taskeng.exe	32
PID 1720 wrote to memory of 1716	1720	taskeng.exe	32

C:\Windows\system32\taskeng.exe
taskeng.exe {9492E525-2B16-4E65-9AD8-2D5B0F235069} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\ProgramData\mfowpxi\npcjung.exe
  C:\ProgramData\mfowpxi\npcjung.exe start2
  2⤵
  - Executes dropped EXE
  PID:2944
- C:\ProgramData\mfowpxi\npcjung.exe
  C:\ProgramData\mfowpxi\npcjung.exe start2
  2⤵
  - Executes dropped EXE
  PID:1716

C:\ProgramData\mfowpxi\npcjung.exe

Filesize
16KB

MD5
4f01c3d7439dde153ff0110a26e2a71c

SHA1
40d7203ad4e1fd40e13a56e6f747ee480740873c

SHA256
cfb1fd0adf528fcf14647cf3fcd85fb7e4fddd2167b36f9e8b2424b62453df28

SHA512
513d09b80e1ac80813bc691e71cdf5348478157350e43b9daed27741b7f5a7a16b2ae4d88ee9951395747c7f2a93ff0c1f2c3753a9e3bad2e2607767a1e3d28e

Download Submit