systembc | cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05-06-2024 15:34

Target

cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe
Size

16KB
MD5

c661a77c31f83c413a96b5537ad31989
SHA1

8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557
SHA256

cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1
SHA512

b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa
SSDEEP

384:rC+AHNZw/WnlrobdglGbLMoy+yG+yir1dV:r0gklrydgQP1yO67V

Score

10^/10

systembc trojan

Family

systembc

clwtumberaero.cyou:4001

185.43.220.45:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Executes dropped EXE 2 IoCs

Processes:

vdofed.exevdofed.exe

pid process

2556 vdofed.exe
1644 vdofed.exe

pid	process
2556	vdofed.exe
1644	vdofed.exe

Drops file in Windows directory 2 IoCs

Processes:

cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe

description	ioc	process
File created	C:\Windows\Tasks\vdofed.job	cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe
File opened for modification	C:\Windows\Tasks\vdofed.job	cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe

pid process

2492 cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe

pid	process
2492	cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2908 wrote to memory of 2556	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 2556	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 2556	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 2556	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 1644	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 1644	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 1644	2908	taskeng.exe	vdofed.exe
PID 2908 wrote to memory of 1644	2908	taskeng.exe	vdofed.exe

C:\Windows\system32\taskeng.exe
taskeng.exe {8155758E-A3FF-4034-8430-1ED592126C6A} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2908
- C:\ProgramData\nmgcm\vdofed.exe
  C:\ProgramData\nmgcm\vdofed.exe start2
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\ProgramData\nmgcm\vdofed.exe
  C:\ProgramData\nmgcm\vdofed.exe start2
  2⤵
  - Executes dropped EXE
  PID:1644

C:\ProgramData\nmgcm\vdofed.exe

Filesize
16KB

MD5
c661a77c31f83c413a96b5537ad31989

SHA1
8a5a47e39a9efa9dc4de447d2ae4cd5e375e3557

SHA256
cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1

SHA512
b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa

Download Submit