Malware Analysis Report

2025-06-15 21:58

Sample ID 221110-18altagfhr
Target ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
Tags
systembc evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8

Threat Level: Known bad

The file ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8 was found to be: Known bad.

Malicious Activity Summary

systembc evasion trojan

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-10 22:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 22:18

Reported

2022-11-10 22:23

Platform

win7-20220812-en

Max time kernel

199s

Max time network

269s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe"

Signatures

SystemBC

trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\uotw\oloi.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\uotw\oloi.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\uotw\oloi.exe N/A
N/A N/A C:\ProgramData\uotw\oloi.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\uotw\oloi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\uotw\oloi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\uotw\oloi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\uotw\oloi.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine C:\ProgramData\uotw\oloi.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Wine C:\ProgramData\uotw\oloi.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
N/A N/A C:\ProgramData\uotw\oloi.exe N/A
N/A N/A C:\ProgramData\uotw\oloi.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\oloi.job C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
File created C:\Windows\Tasks\oloi.job C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1296 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1108 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe
PID 1296 wrote to memory of 1488 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\uotw\oloi.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe

"C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {D866A0C4-298C-4D01-9105-63ACF69D5917} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]

C:\ProgramData\uotw\oloi.exe

C:\ProgramData\uotw\oloi.exe start2

C:\ProgramData\uotw\oloi.exe

C:\ProgramData\uotw\oloi.exe start2

Network

Country Destination Domain Proto
US 8.8.8.8:53 cryptotab.me udp
US 23.94.163.16:4001 cryptotab.me tcp

Files

memory/2020-54-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/2020-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

memory/2020-56-0x0000000077C20000-0x0000000077DA0000-memory.dmp

memory/2020-57-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/2020-58-0x0000000077C20000-0x0000000077DA0000-memory.dmp

C:\ProgramData\uotw\oloi.exe

MD5 2175015fd052eac3d6feef4e4ad1bd07
SHA1 5a2e91427ede9e558c02ee7186ff68aa491d6def
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA512 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82

memory/1108-60-0x0000000000000000-mapping.dmp

C:\ProgramData\uotw\oloi.exe

MD5 2175015fd052eac3d6feef4e4ad1bd07
SHA1 5a2e91427ede9e558c02ee7186ff68aa491d6def
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA512 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82

memory/1108-62-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/1108-64-0x0000000077C20000-0x0000000077DA0000-memory.dmp

memory/1108-65-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/1108-66-0x0000000077C20000-0x0000000077DA0000-memory.dmp

memory/2020-67-0x0000000077C20000-0x0000000077DA0000-memory.dmp

memory/1108-68-0x0000000077C20000-0x0000000077DA0000-memory.dmp

memory/1488-69-0x0000000000000000-mapping.dmp

C:\ProgramData\uotw\oloi.exe

MD5 2175015fd052eac3d6feef4e4ad1bd07
SHA1 5a2e91427ede9e558c02ee7186ff68aa491d6def
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA512 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82

memory/1488-71-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/1488-73-0x0000000077C20000-0x0000000077DA0000-memory.dmp

memory/1488-74-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/1488-75-0x0000000077C20000-0x0000000077DA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 22:18

Reported

2022-11-10 22:23

Platform

win10-20220812-en

Max time kernel

198s

Max time network

267s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe"

Signatures

SystemBC

trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dqwnjk\hdowa.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\dqwnjk\hdowa.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\dqwnjk\hdowa.exe N/A
N/A N/A C:\ProgramData\dqwnjk\hdowa.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dqwnjk\hdowa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dqwnjk\hdowa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\dqwnjk\hdowa.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\dqwnjk\hdowa.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine C:\ProgramData\dqwnjk\hdowa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine C:\ProgramData\dqwnjk\hdowa.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1099808672-3828198950-1535142148-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
N/A N/A C:\ProgramData\dqwnjk\hdowa.exe N/A
N/A N/A C:\ProgramData\dqwnjk\hdowa.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\hdowa.job C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A
File opened for modification C:\Windows\Tasks\hdowa.job C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe

"C:\Users\Admin\AppData\Local\Temp\ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8.exe"

C:\ProgramData\dqwnjk\hdowa.exe

C:\ProgramData\dqwnjk\hdowa.exe start2

C:\ProgramData\dqwnjk\hdowa.exe

C:\ProgramData\dqwnjk\hdowa.exe start2

Network

Country Destination Domain Proto
FR 51.11.192.50:443 tcp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 cryptotab.me udp
US 23.94.163.16:4001 cryptotab.me tcp

Files

memory/2976-116-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-117-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-118-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-119-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-120-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-121-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-122-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/2976-123-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-124-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-125-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-126-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-127-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-128-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-129-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-130-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-131-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-132-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-133-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-134-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-135-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-136-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-137-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-138-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-139-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-141-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-140-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-142-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-143-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-144-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-145-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-146-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-147-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-148-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-149-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-150-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-151-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-152-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-153-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-154-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-155-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-156-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-157-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-158-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-159-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/2976-160-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-161-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-163-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/2976-164-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-166-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-165-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-162-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-167-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-168-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-169-0x0000000077600000-0x000000007778E000-memory.dmp

memory/2976-170-0x0000000077600000-0x000000007778E000-memory.dmp

C:\ProgramData\dqwnjk\hdowa.exe

MD5 2175015fd052eac3d6feef4e4ad1bd07
SHA1 5a2e91427ede9e558c02ee7186ff68aa491d6def
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA512 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82

memory/4964-172-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-173-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-174-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-175-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-176-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-178-0x0000000077600000-0x000000007778E000-memory.dmp

C:\ProgramData\dqwnjk\hdowa.exe

MD5 2175015fd052eac3d6feef4e4ad1bd07
SHA1 5a2e91427ede9e558c02ee7186ff68aa491d6def
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA512 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82

memory/4964-180-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-177-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-182-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-183-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-181-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-184-0x0000000077600000-0x000000007778E000-memory.dmp

memory/4964-193-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/4964-216-0x0000000000400000-0x00000000009E0000-memory.dmp

C:\ProgramData\dqwnjk\hdowa.exe

MD5 2175015fd052eac3d6feef4e4ad1bd07
SHA1 5a2e91427ede9e558c02ee7186ff68aa491d6def
SHA256 ccf4d5167a10a49756ab0cf8a204b5d1a06356b5e9bdbee58f4eda966ec551a8
SHA512 1429ae1523856b4bb2c161204d6394235e7df0c1427202dec7745c814dc22feb06da6b6c0c89aa6fc395a5042357720208a509fccf9a785526a1adb6cf0c6c82

memory/3336-229-0x0000000000400000-0x00000000009E0000-memory.dmp

memory/3336-259-0x0000000000400000-0x00000000009E0000-memory.dmp