Analysis Overview
SHA256
81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699
Threat Level: Known bad
The file f398330ff76c75dbaffe5c18078c35e5.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Executes dropped EXE
Identifies Wine through registry keys
Checks BIOS information in registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-02-26 09:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-02-26 09:02
Reported
2025-02-26 09:04
Platform
win7-20240903-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\seqtpt\vrqp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Wine | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| N/A | N/A | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| N/A | N/A | C:\ProgramData\seqtpt\vrqp.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2976 wrote to memory of 2792 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\seqtpt\vrqp.exe |
| PID 2976 wrote to memory of 2792 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\seqtpt\vrqp.exe |
| PID 2976 wrote to memory of 2792 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\seqtpt\vrqp.exe |
| PID 2976 wrote to memory of 2792 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\seqtpt\vrqp.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe
"C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {7902B381-DDEF-4CA5-A053-25CEFB16B899} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]
C:\ProgramData\seqtpt\vrqp.exe
C:\ProgramData\seqtpt\vrqp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5112 | towerbingobongoboom.com | tcp |
Files
memory/2104-0-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-1-0x00000000777A0000-0x00000000777A2000-memory.dmp
memory/2104-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/2104-4-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-6-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-7-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-8-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-9-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-10-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-11-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-12-0x0000000000400000-0x0000000000846000-memory.dmp
C:\ProgramData\seqtpt\vrqp.exe
| MD5 | f398330ff76c75dbaffe5c18078c35e5 |
| SHA1 | 97c7b2fa744cdf86ce74322f0a683b260e21d188 |
| SHA256 | 81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699 |
| SHA512 | 69768f2338ceff5e0872ef066201a3b06ad30b31138524d62943982d67dd046a8cd2051a9730a8e81ea93404fddd734fa1c6cab8ccb5689fd343572604c8cb8c |
memory/2792-15-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-16-0x0000000000400000-0x0000000000846000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | dd01a870f67e51bb46cc4166d39ded00 |
| SHA1 | dcc87d4de29d681973c6e6f53a25b8be8f581644 |
| SHA256 | 45f7e29f1e0a908a53f033093f1307442591b79cb080159f3282fb860d671bc4 |
| SHA512 | 8d4edc61536cb7e4afaf82cfcb45386d3ed8badcf9a1fbae86f4c15f4fc01d2bab683ad785897df0f0b38e55638cfcddc13f2e12faccbbe74c5a0c1b0afba4ce |
memory/2792-18-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-19-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-20-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-21-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-22-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-23-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-24-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2104-25-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-26-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-27-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-28-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-29-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-30-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-31-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-32-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-33-0x0000000000400000-0x0000000000846000-memory.dmp
memory/2792-34-0x0000000000400000-0x0000000000846000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-02-26 09:02
Reported
2025-02-26 09:04
Platform
win10v2004-20250217-en
Max time kernel
144s
Max time network
146s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\egkflhe\louckpo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| N/A | N/A | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe | N/A |
| N/A | N/A | C:\ProgramData\egkflhe\louckpo.exe | N/A |
| N/A | N/A | C:\ProgramData\egkflhe\louckpo.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe
"C:\Users\Admin\AppData\Local\Temp\f398330ff76c75dbaffe5c18078c35e5.exe"
C:\ProgramData\egkflhe\louckpo.exe
C:\ProgramData\egkflhe\louckpo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| DE | 93.186.202.3:4000 | towerbingobongoboom.com | tcp |
| DE | 93.186.202.3:5419 | towerbingobongoboom.com | tcp |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tcp | |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1668-0-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-1-0x00000000773A4000-0x00000000773A6000-memory.dmp
memory/1668-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/1668-4-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-6-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-7-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-8-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-9-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-10-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-11-0x0000000000400000-0x0000000000846000-memory.dmp
C:\ProgramData\egkflhe\louckpo.exe
| MD5 | f398330ff76c75dbaffe5c18078c35e5 |
| SHA1 | 97c7b2fa744cdf86ce74322f0a683b260e21d188 |
| SHA256 | 81adc7b98a97b77b6259fe66d9f5919ad55de88ff242637de023ee856a095699 |
| SHA512 | 69768f2338ceff5e0872ef066201a3b06ad30b31138524d62943982d67dd046a8cd2051a9730a8e81ea93404fddd734fa1c6cab8ccb5689fd343572604c8cb8c |
memory/1228-14-0x0000000000400000-0x0000000000846000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | dcd98a2848313fa57964ac856b10d40c |
| SHA1 | 9398bc6581ad6a37a24b59aaaaa899ffe612c01e |
| SHA256 | 34cd134a8adb09ab8b61134aeacb31db0a3c7134b57ad47ad3aa46696800cc31 |
| SHA512 | cab1ad22ea8a1440459866ca8710287e2a665b39a6b68f4f3803c7e897ac0eccd9771018a86e63ac8cd53bd3be5a9ebeea8bd38991fbaaea1b429e22b7ad8093 |
memory/1228-16-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-17-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-18-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-19-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-20-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-21-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1668-23-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-24-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-25-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-26-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-27-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-28-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-29-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-30-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-31-0x0000000000400000-0x0000000000846000-memory.dmp
memory/1228-32-0x0000000000400000-0x0000000000846000-memory.dmp