systembc | 4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-07-2024 13:07

Target

4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe
Size

178KB
MD5

705796f3b9bd73f9a9a8a07c9f10b909
SHA1

93cf40f95ab91a0e33b405c0c49025dab7ceb496
SHA256

4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a
SHA512

4ce401041bdc5086345b856ac3f4baa804652cb6c14a7f84ae0cc1323783c2f54d8498aa9a1b72df0a3d86aa752f43873d4f9afc85b1544285e8a1f7ed53ae42
SSDEEP

3072:+ob0P2fTvOS1eSauhB8zfGci1+rbjb4Ke:eOLOS13SfGc3Hjf

Score

10^/10

systembc trojan

Family

systembc

95.179.161.101:4001

SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\wow64.job	4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe
File opened for modification	C:\Windows\Tasks\wow64.job	4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 2040	2592	taskeng.exe	30
PID 2592 wrote to memory of 2040	2592	taskeng.exe	30
PID 2592 wrote to memory of 2040	2592	taskeng.exe	30
PID 2592 wrote to memory of 2040	2592	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe
"C:\Users\Admin\AppData\Local\Temp\4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe"
1⤵
- Drops file in Windows directory
PID:2172

C:\Windows\system32\taskeng.exe
taskeng.exe {B4F2D480-7319-4A5A-AFAE-6A62609AE519} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Users\Admin\AppData\Local\Temp\4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe
  C:\Users\Admin\AppData\Local\Temp\4aed141bc47c4bdf1779182984a43dedb5b9e0f2ef220e29154028ad5f8ea55a.exe start
  2⤵
  PID:2040

memory/2040-11-0x0000000000400000-0x00000000008F7000-memory.dmp

Filesize
5.0MB

Download
memory/2172-2-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download
memory/2172-1-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

Filesize
1024KB

Download
memory/2172-3-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/2172-6-0x0000000000400000-0x00000000008F7000-memory.dmp

Filesize
5.0MB

Download
memory/2172-9-0x0000000000AC0000-0x0000000000BC0000-memory.dmp

Filesize
1024KB

Download
memory/2172-10-0x0000000000220000-0x0000000000225000-memory.dmp

Filesize
20KB

Download