Malware Analysis Report

2025-04-03 09:37

Sample ID 250227-dra5pasxdx
Target 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe
SHA256 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80
Tags
systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80

Threat Level: Known bad

The file 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe was found to be: Known bad.

Malicious Activity Summary

systembc defense_evasion discovery trojan

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Executes dropped EXE

Identifies Wine through registry keys

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 03:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 03:14

Reported

2025-02-27 03:16

Platform

win7-20240903-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\vjwnd\mttev.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\vjwnd\mttev.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\vjwnd\mttev.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\vjwnd\mttev.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Wine C:\ProgramData\vjwnd\mttev.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
N/A N/A C:\ProgramData\vjwnd\mttev.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\vjwnd\mttev.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
N/A N/A C:\ProgramData\vjwnd\mttev.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\vjwnd\mttev.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\vjwnd\mttev.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\vjwnd\mttev.exe
PID 2604 wrote to memory of 2684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\vjwnd\mttev.exe

Processes

C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe

"C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {5B2EA502-13DB-45E2-A7F2-7AA967C4842C} S-1-5-21-3063565911-2056067323-3330884624-1000:KHBTHJFA\Admin:Interactive:[1]

C:\ProgramData\vjwnd\mttev.exe

C:\ProgramData\vjwnd\mttev.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp

Files

memory/1696-0-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-1-0x0000000077A90000-0x0000000077A92000-memory.dmp

memory/1696-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/1696-4-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-6-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-7-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-8-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-9-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-10-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-11-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-12-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-13-0x0000000000400000-0x0000000000846000-memory.dmp

C:\ProgramData\vjwnd\mttev.exe

MD5 77c6d4944106ec80bb717043741b57da
SHA1 aa1550acb66847744e99ee1181d8a7c9035f1339
SHA256 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80
SHA512 b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a

memory/2684-16-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-17-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 a36c3556554dbf32736e1f88ecf5624f
SHA1 4c558b30c8519f9d17419ece3b25d3625a2c66d9
SHA256 11b3366d0fc7d1bc9658dd68c4eb024b4be11bfcac50c3c39bf6ab51d75f143d
SHA512 d9e85117b4e4f1208e2fc63e6cdcef3e821faa14b7587acedecf24df4571b282cc424cb2822fab859731f2dc49e4e843d087067ebff275e319138e4f3b6d5f32

memory/2684-19-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1696-20-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-22-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-23-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-24-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-25-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-26-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-27-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-28-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-29-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-30-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-31-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-32-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-33-0x0000000000400000-0x0000000000846000-memory.dmp

memory/2684-34-0x0000000000400000-0x0000000000846000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 03:14

Reported

2025-02-27 03:16

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\xrnkgk\pklnam.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\xrnkgk\pklnam.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\xrnkgk\pklnam.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\xrnkgk\pklnam.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\xrnkgk\pklnam.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
N/A N/A C:\ProgramData\xrnkgk\pklnam.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\xrnkgk\pklnam.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe

"C:\Users\Admin\AppData\Local\Temp\686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80.exe"

C:\ProgramData\xrnkgk\pklnam.exe

C:\ProgramData\xrnkgk\pklnam.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5113 towerbingobongoboom.com tcp

Files

memory/4888-0-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-1-0x0000000077824000-0x0000000077826000-memory.dmp

memory/4888-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/4888-3-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-6-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-7-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-8-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-9-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-10-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-11-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-12-0x0000000000400000-0x0000000000846000-memory.dmp

memory/4888-13-0x0000000000400000-0x0000000000846000-memory.dmp

C:\ProgramData\xrnkgk\pklnam.exe

MD5 77c6d4944106ec80bb717043741b57da
SHA1 aa1550acb66847744e99ee1181d8a7c9035f1339
SHA256 686990b05fbd39d1d4e0d4af60242a5b69c1dbfb218214a20bb4c67bde5c6f80
SHA512 b2d7b47a95dafb732d65b7af2131ceb0b60c950c29697f4c07ff21381599558990fa03a9b8fc7dfe1d96787f6adce90b4b916c71cf2f4f32c4b070aae7fcd16a

memory/1596-16-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-17-0x0000000000400000-0x0000000000846000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 e066bd19353c1e75397943fb0b873cec
SHA1 999c51efb18adf3c75cba7ed432803ba79fb8931
SHA256 aef4c7c2385d7c1f9c7da7dd683d9ada97d17d25e5cc7290150b9dcabf429b3d
SHA512 27561c2e7fadc3d68d4c171dfd8285fdfb2a8c6171220cc26852a5a2ea218fc4c128765e1821c67380f8ce9319f7528050872d10f2669ee6062bbe14f819c545

memory/4888-19-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-21-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-22-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-23-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-24-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-25-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-26-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-27-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-28-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-29-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-30-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-31-0x0000000000400000-0x0000000000846000-memory.dmp

memory/1596-32-0x0000000000400000-0x0000000000846000-memory.dmp