Malware Analysis Report

2025-04-03 09:13

Sample ID 250227-drlanasxfs
Target 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221

Threat Level: Known bad

The file 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey family

Systembc family

Amadey

SystemBC

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 03:14

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 03:14

Reported

2025-02-27 03:17

Platform

win10v2004-20250217-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\hqce\xfiopsp.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\hqce\xfiopsp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\hqce\xfiopsp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\ProgramData\hqce\xfiopsp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\hqce\xfiopsp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\hqce\xfiopsp.exe

C:\ProgramData\hqce\xfiopsp.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5112 towerbingobongoboom.com tcp

Files

memory/1428-0-0x0000000000110000-0x00000000005D8000-memory.dmp

memory/1428-1-0x0000000077974000-0x0000000077976000-memory.dmp

memory/1428-2-0x0000000000111000-0x000000000013F000-memory.dmp

memory/1428-3-0x0000000000110000-0x00000000005D8000-memory.dmp

memory/1428-4-0x0000000000110000-0x00000000005D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 f75ad0aa5397c534ba69c40f736f6e11
SHA1 294190bb853c05c9603faab7cdc40b01c0e844a4
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
SHA512 7585ea3d3cfdab7e601792e5ff8441a2719f5cbb09077b4a3c1919f6b997fd583d5eb555c0afb623114f36f2aa035a45cfb2db7486b4f5a168651a1661bdc8bf

memory/2112-17-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/1428-18-0x0000000000110000-0x00000000005D8000-memory.dmp

memory/2112-27-0x0000000000781000-0x00000000007AF000-memory.dmp

memory/2112-26-0x0000000004A60000-0x0000000004A61000-memory.dmp

memory/2112-25-0x0000000004A80000-0x0000000004A81000-memory.dmp

memory/2112-24-0x0000000004A40000-0x0000000004A41000-memory.dmp

memory/2112-23-0x0000000004A20000-0x0000000004A21000-memory.dmp

memory/2112-22-0x0000000004A10000-0x0000000004A11000-memory.dmp

memory/2112-21-0x0000000004A50000-0x0000000004A51000-memory.dmp

memory/2112-20-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

memory/2112-19-0x0000000004A90000-0x0000000004A91000-memory.dmp

memory/2112-28-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2112-29-0x0000000000780000-0x0000000000C48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

MD5 ec23aa1a029ed83e876b9c9276d7c743
SHA1 af2f99ae5e09f4b40788b072ed8e2d34ff3c4a5d
SHA256 b7a31a615cfe0b31a5293cc784a8618e153100399982bf7999983e41b3f81370
SHA512 8e182ba35bb0f4bd268f08583d6cc93c3fb978b0844ee90dd203e971f07289b598cf5baf2213f86294fa69d7c2d7377d4b8603b83b212ba12b59a5e6bf2ff341

memory/2112-44-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/4336-45-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-46-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-48-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-49-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/4336-51-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-52-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-53-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/4336-54-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4372-56-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-59-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4372-61-0x0000000000780000-0x0000000000C48000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 a527fec4cafc9bac6e0b429f7993d56e
SHA1 a132d609752b53b47c8ec74ddbc912c091ef0e16
SHA256 380be151c9b80dd26e439c2f70ff203bb8cd1522b73d7a27c10158cb03deaacf
SHA512 c25804d9b7b7147aef61d9a00e8e291a7ac3220fd587d3a685c55bd4827f80bdf13e8cb341b8ab6a01cac5f4de50c3e219eca16c07508b96a69a8ed588f44167

memory/4336-63-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-64-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-66-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-67-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-69-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-70-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-71-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-72-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-73-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-74-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-75-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/4336-76-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4336-77-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2316-78-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-79-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/3004-81-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/3004-82-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-83-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-84-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-85-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-86-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-87-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-88-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-89-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-90-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-91-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-92-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-93-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2112-94-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/4384-96-0x0000000000780000-0x0000000000C48000-memory.dmp

memory/2316-97-0x0000000000400000-0x000000000087F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 03:14

Reported

2025-02-27 03:17

Platform

win7-20240903-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\cvcf\gkpwli.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\cvcf\gkpwli.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\cvcf\gkpwli.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Wine C:\ProgramData\cvcf\gkpwli.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\cvcf\gkpwli.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2132 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2132 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2132 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2648 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 1472 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\cvcf\gkpwli.exe
PID 1472 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\cvcf\gkpwli.exe
PID 1472 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\cvcf\gkpwli.exe
PID 1472 wrote to memory of 2440 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\cvcf\gkpwli.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {EA8729FF-7092-4AF8-B1B3-159E9C418522} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]

C:\ProgramData\cvcf\gkpwli.exe

C:\ProgramData\cvcf\gkpwli.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5111 towerbingobongoboom.com tcp

Files

memory/2132-0-0x0000000001310000-0x00000000017D8000-memory.dmp

memory/2132-1-0x0000000076F70000-0x0000000076F72000-memory.dmp

memory/2132-2-0x0000000001311000-0x000000000133F000-memory.dmp

memory/2132-3-0x0000000001310000-0x00000000017D8000-memory.dmp

memory/2132-5-0x0000000001310000-0x00000000017D8000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 f75ad0aa5397c534ba69c40f736f6e11
SHA1 294190bb853c05c9603faab7cdc40b01c0e844a4
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
SHA512 7585ea3d3cfdab7e601792e5ff8441a2719f5cbb09077b4a3c1919f6b997fd583d5eb555c0afb623114f36f2aa035a45cfb2db7486b4f5a168651a1661bdc8bf

memory/2132-18-0x0000000006C80000-0x0000000007148000-memory.dmp

memory/2132-17-0x0000000001310000-0x00000000017D8000-memory.dmp

memory/2648-20-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2648-21-0x0000000000A31000-0x0000000000A5F000-memory.dmp

memory/2648-22-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2648-24-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2648-25-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2648-26-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2648-28-0x0000000000A30000-0x0000000000EF8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

MD5 ec23aa1a029ed83e876b9c9276d7c743
SHA1 af2f99ae5e09f4b40788b072ed8e2d34ff3c4a5d
SHA256 b7a31a615cfe0b31a5293cc784a8618e153100399982bf7999983e41b3f81370
SHA512 8e182ba35bb0f4bd268f08583d6cc93c3fb978b0844ee90dd203e971f07289b598cf5baf2213f86294fa69d7c2d7377d4b8603b83b212ba12b59a5e6bf2ff341

memory/2648-44-0x0000000006BA0000-0x000000000701F000-memory.dmp

memory/1716-46-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-43-0x0000000006BA0000-0x000000000701F000-memory.dmp

memory/2648-50-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-53-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 1d8c678adb776f96dc4d11272b68f370
SHA1 0a6badc658d903ef4eaec82ba2e09d8e0c73ec44
SHA256 397b973304bdf5e391ffb4803a208037238cfcc5d6d526e8a744d1214531f82d
SHA512 8a00757ef70290b3bd80109f3b7cebb404df436e660e77b67b3291aed60c0758bd611faf5e3f6580c8cd1bf954f2b68436b42068b9266ea44c0f8801679252f2

memory/2648-55-0x0000000006BA0000-0x000000000701F000-memory.dmp

memory/2648-56-0x0000000006BA0000-0x000000000701F000-memory.dmp

memory/1716-57-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-58-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-59-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-60-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2440-61-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-62-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-63-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-64-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-66-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-67-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-69-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-70-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-71-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-72-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-73-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-74-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1716-75-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-76-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-77-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-78-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-79-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-80-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-81-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-82-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-83-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-84-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-85-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-86-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-87-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2648-88-0x0000000000A30000-0x0000000000EF8000-memory.dmp

memory/2440-89-0x0000000000400000-0x000000000087F000-memory.dmp