systembc | 304a6ae31de8154aaf18fa3ba46f4d768a68fabaca443868e1a447e6e51cfc26

Analysis

max time kernel
141s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 13:23

Target

a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe
Size

873KB
MD5

7c14e45f1b37c59138cafd3173e7acd5
SHA1

7ea141eb9f013e0dce8ee2b6a692153fefbcbb3a
SHA256

a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de
SHA512

52ce187cc850430f1710e898cf28a5f3a770f3a972f94f6c6c68c6e0042a5dd79b7451dbc95121dee4c0f005dbee2ccfa0aa8fc1850f3d66d7cd6c6c5a61490c
SSDEEP

3072:LgfqAxp7Trv/hQjtXCIiXZUiq9UlRLTTFfD8:EfbfTbpOCVXzDLL/Fr8

Score

10^/10

systembc trojan

Family

systembc

179.43.178.96:4141

192.168.1.149:4141

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Executes dropped EXE 1 IoCs

pid	Process
2996	owdj.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\owdj.job	a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe
File opened for modification	C:\Windows\Tasks\owdj.job	a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2996	2988	taskeng.exe	32
PID 2988 wrote to memory of 2996	2988	taskeng.exe	32
PID 2988 wrote to memory of 2996	2988	taskeng.exe	32
PID 2988 wrote to memory of 2996	2988	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe
"C:\Users\Admin\AppData\Local\Temp\a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de.exe"
1⤵
- Drops file in Windows directory
PID:2152

C:\Windows\system32\taskeng.exe
taskeng.exe {B9713512-6B81-4A36-AA8F-368888F81E3E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2988
- C:\ProgramData\ibwup\owdj.exe
  C:\ProgramData\ibwup\owdj.exe start
  2⤵
  - Executes dropped EXE
  PID:2996

C:\ProgramData\ibwup\owdj.exe

Filesize
873KB

MD5
7c14e45f1b37c59138cafd3173e7acd5

SHA1
7ea141eb9f013e0dce8ee2b6a692153fefbcbb3a

SHA256
a2eaa3485a9efff93e652cb5e3fef2bddaa1e631d2abc258a66f3d3b7f09f3de

SHA512
52ce187cc850430f1710e898cf28a5f3a770f3a972f94f6c6c68c6e0042a5dd79b7451dbc95121dee4c0f005dbee2ccfa0aa8fc1850f3d66d7cd6c6c5a61490c

Download Submit
memory/2152-0-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/2152-1-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2152-7-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2996-8-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download