Malware Analysis Report

2025-06-15 21:58

Sample ID 221110-n6weaabefj
Target 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
SHA256 614d8a0cfd93b3ab2f4e01ea490ba9d350f7ea786a18b54785581777df71b371
Tags
systembc evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

614d8a0cfd93b3ab2f4e01ea490ba9d350f7ea786a18b54785581777df71b371

Threat Level: Known bad

The file 614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe was found to be: Known bad.

Malicious Activity Summary

systembc evasion trojan

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Deletes itself

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-10 12:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-10 12:01

Reported

2022-11-10 12:03

Platform

win7-20220901-en

Max time kernel

134s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe"

Signatures

SystemBC

trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\TEMP\solpkqf.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\TEMP\solpkqf.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\TEMP\solpkqf.exe N/A
N/A N/A C:\Windows\TEMP\solpkqf.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\TEMP\solpkqf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\TEMP\solpkqf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\TEMP\solpkqf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\TEMP\solpkqf.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\TEMP\solpkqf.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\wow64.job C:\Windows\TEMP\solpkqf.exe N/A
File opened for modification C:\Windows\Tasks\wow64.job C:\Windows\TEMP\solpkqf.exe N/A
File created C:\Windows\Tasks\wow64.job C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
File opened for modification C:\Windows\Tasks\wow64.job C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
File created C:\Windows\Tasks\oaevlvomkdgngxmgxmb.job C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 112 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
PID 112 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
PID 112 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
PID 112 wrote to memory of 1540 N/A C:\Windows\system32\taskeng.exe C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 828 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe
PID 112 wrote to memory of 1236 N/A C:\Windows\system32\taskeng.exe C:\Windows\TEMP\solpkqf.exe

Processes

C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe

"C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {C6C12CCE-2D26-4D36-9D3E-CBFF469B745C} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe

C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe start

C:\Windows\TEMP\solpkqf.exe

C:\Windows\TEMP\solpkqf.exe

C:\Windows\TEMP\solpkqf.exe

C:\Windows\TEMP\solpkqf.exe start

Network

Country Destination Domain Proto
US 8.8.8.8:53 n20b28tu.info udp
NL 178.208.75.191:4248 n20b28tu.info tcp
NL 178.208.75.191:80 n20b28tu.info tcp

Files

memory/1308-54-0x0000000000400000-0x0000000000922000-memory.dmp

memory/1308-55-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

memory/1308-56-0x0000000076FB0000-0x0000000077130000-memory.dmp

memory/1308-57-0x0000000000400000-0x0000000000922000-memory.dmp

memory/1540-58-0x0000000000000000-mapping.dmp

memory/1540-59-0x0000000000400000-0x0000000000922000-memory.dmp

memory/1540-60-0x0000000076FB0000-0x0000000077130000-memory.dmp

memory/1540-62-0x0000000000400000-0x0000000000922000-memory.dmp

memory/1308-63-0x0000000076FB0000-0x0000000077130000-memory.dmp

memory/1540-64-0x0000000076FB0000-0x0000000077130000-memory.dmp

memory/1308-65-0x0000000076FB0000-0x0000000077130000-memory.dmp

C:\Windows\TEMP\solpkqf.exe

MD5 dd3a5df905b4aca6028903b83919514a
SHA1 801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA256 56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA512 34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

memory/828-67-0x0000000000000000-mapping.dmp

C:\Windows\Temp\solpkqf.exe

MD5 dd3a5df905b4aca6028903b83919514a
SHA1 801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA256 56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA512 34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

memory/828-69-0x0000000000400000-0x0000000000886000-memory.dmp

memory/828-71-0x0000000076FB0000-0x0000000077130000-memory.dmp

C:\Windows\Tasks\wow64.job

MD5 c9aa4261c3c9e6ea9675cb37e655ed51
SHA1 7fbcbc6269fe8424a2990f7a41eafc6a3e353216
SHA256 7a2a24da7f326f70910eeafa3b1314af78f4b918021af978549039101993f0da
SHA512 2ea17c241637a38b1a6912f7da62cef8fa6c35df601adf2aca73e45e53d8f2edb12d1e02ba9949b8b39777edf9a0db61346f7c10cc2b8b284541284aa91a771d

memory/1540-73-0x0000000076FB0000-0x0000000077130000-memory.dmp

memory/828-74-0x0000000000400000-0x0000000000886000-memory.dmp

C:\Windows\Temp\solpkqf.exe

MD5 dd3a5df905b4aca6028903b83919514a
SHA1 801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA256 56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA512 34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

memory/1236-75-0x0000000000000000-mapping.dmp

memory/1236-77-0x0000000000400000-0x0000000000886000-memory.dmp

memory/1236-79-0x0000000076FB0000-0x0000000077130000-memory.dmp

memory/1236-80-0x0000000000400000-0x0000000000886000-memory.dmp

memory/828-81-0x0000000076FB0000-0x0000000077130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-10 12:01

Reported

2022-11-10 12:03

Platform

win10v2004-20220812-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe"

Signatures

SystemBC

trojan systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\TEMP\bfkn.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Windows\TEMP\bfkn.exe N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\TEMP\bfkn.exe N/A
N/A N/A C:\Windows\TEMP\bfkn.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\TEMP\bfkn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\TEMP\bfkn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Windows\TEMP\bfkn.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Windows\TEMP\bfkn.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\wow64.job C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
File created C:\Windows\Tasks\djxfodcpncbombxnpec.job C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A
File created C:\Windows\Tasks\wow64.job C:\Windows\TEMP\bfkn.exe N/A
File opened for modification C:\Windows\Tasks\wow64.job C:\Windows\TEMP\bfkn.exe N/A
File created C:\Windows\Tasks\wow64.job C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe

"C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe"

C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe

C:\Users\Admin\AppData\Local\Temp\614D8A0CFD93B3AB2F4E01EA490BA9D350F7EA786A18B.exe start

C:\Windows\TEMP\bfkn.exe

C:\Windows\TEMP\bfkn.exe

C:\Windows\TEMP\bfkn.exe

C:\Windows\TEMP\bfkn.exe start

Network

Country Destination Domain Proto
US 93.184.220.29:80 tcp
US 8.8.8.8:53 n20b28tu.info udp
NL 178.208.75.191:4248 n20b28tu.info tcp
AU 104.46.162.224:443 tcp
NL 104.80.225.205:443 tcp
NL 178.208.75.191:80 n20b28tu.info tcp

Files

memory/716-132-0x0000000000400000-0x0000000000922000-memory.dmp

memory/716-133-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/716-134-0x0000000000400000-0x0000000000922000-memory.dmp

memory/4972-135-0x0000000000400000-0x0000000000922000-memory.dmp

memory/4972-136-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/4972-137-0x0000000000400000-0x0000000000922000-memory.dmp

memory/716-138-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/4972-139-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/716-140-0x0000000077550000-0x00000000776F3000-memory.dmp

C:\Windows\Temp\bfkn.exe

MD5 dd3a5df905b4aca6028903b83919514a
SHA1 801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA256 56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA512 34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

C:\Windows\TEMP\bfkn.exe

MD5 dd3a5df905b4aca6028903b83919514a
SHA1 801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA256 56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA512 34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

memory/1244-143-0x0000000000400000-0x0000000000886000-memory.dmp

memory/1244-144-0x0000000077550000-0x00000000776F3000-memory.dmp

C:\Windows\Tasks\wow64.job

MD5 68667eb391c47b343427836ba16952ec
SHA1 8812c6573d5f02a1436e5c82a36ff430ed9b987c
SHA256 3de88331dc719e45e458fbb26a4527dfead1c82624e1d1785b226d66bda8fe1a
SHA512 c3d67a479dd610de1d09a59a025dd08189186cadf2fa107f2ae3f15fa2f460f909d568d6a8d878f2cb167718f2b02d4eedfd513b0be16057378bd1d2448ba594

memory/4972-146-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/1244-147-0x0000000000400000-0x0000000000886000-memory.dmp

C:\Windows\Temp\bfkn.exe

MD5 dd3a5df905b4aca6028903b83919514a
SHA1 801fc5875148a0a648e6e246dcbd1ce0ad6c007f
SHA256 56ac1a8dc72d7a18f0af4f434e32479b14f67c3fe99c3bb23d38492e51412957
SHA512 34bee5e5d9f645f4757762b85a8765919058baf7fc4aad8f11d8f2f80ff80d2daa931c29b83e8437242a9ca2718794a97caa2881ec40a6d68811e386b08e6af1

memory/4892-149-0x0000000000400000-0x0000000000886000-memory.dmp

memory/4892-150-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/4892-151-0x0000000000400000-0x0000000000886000-memory.dmp

memory/1244-152-0x0000000077550000-0x00000000776F3000-memory.dmp

memory/4892-153-0x0000000077550000-0x00000000776F3000-memory.dmp