systembc | a131debc6aff9726b63414d02f6cb3b7f2243baff822131f3892247d6799239a

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15-06-2024 00:18

Target

a131debc6aff9726b63414d02f6cb3b7f2243baff822131f3892247d6799239a.dll
Size

67KB
MD5

2a0f21b38d4ca04c9523407bf1d54e6d
SHA1

3912a07ae6805e8cbcef54b1c1aa1d01e8d8155b
SHA256

a131debc6aff9726b63414d02f6cb3b7f2243baff822131f3892247d6799239a
SHA512

903495df0f2dabb8ea36e3a24b1bdb83ad9fb66198d8cf0c6d92a7bbb01e8ccbeb7f2a10fc88fd659f724df27fbb43413557c510298bc63115dae3fabeac7872
SSDEEP

1536:9Lr3XKmOJRmVdGLuLCikPCROvTJ2nr6B6yKarxw:9LzKmgRmCikaROv06B6Gr

Score

10^/10

systembc trojan upx

Family

systembc

155.138.219.110:443

192.53.123.202:443

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
behavioral1/memory/2344-3-0x0000000000140000-0x000000000016E000-memory.dmp	UPX

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2344	rundll32.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/memory/2344-3-0x0000000000140000-0x000000000016E000-memory.dmp	upx

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28
PID 2240 wrote to memory of 2344	2240	rundll32.exe	28

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a131debc6aff9726b63414d02f6cb3b7f2243baff822131f3892247d6799239a.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a131debc6aff9726b63414d02f6cb3b7f2243baff822131f3892247d6799239a.dll,#1
  2⤵
  - Blocklisted process makes network request
  PID:2344

memory/2344-3-0x0000000000140000-0x000000000016E000-memory.dmp

Filesize
184KB

Download
memory/2344-2-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download
memory/2344-1-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download
memory/2344-0-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download
memory/2344-4-0x0000000000180000-0x0000000000186000-memory.dmp

Filesize
24KB

Download
memory/2344-5-0x00000000001F0000-0x00000000001F7000-memory.dmp

Filesize
28KB

Download
memory/2344-7-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download
memory/2344-9-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download
memory/2344-8-0x0000000000130000-0x000000000015E000-memory.dmp

Filesize
184KB

Download