Malware Analysis Report

2025-04-03 09:37

Sample ID 250227-dtyc1atps3
Target 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
Tags
amadey systembc a4d2cd defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221

Threat Level: Known bad

The file 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe was found to be: Known bad.

Malicious Activity Summary

amadey systembc a4d2cd defense_evasion discovery trojan

Amadey family

Systembc family

SystemBC

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Identifies Wine through registry keys

Checks BIOS information in registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-02-27 03:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-02-27 03:18

Reported

2025-02-27 03:21

Platform

win7-20240903-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\qbthhj\jpximv.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\qbthhj\jpximv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\qbthhj\jpximv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\ProgramData\qbthhj\jpximv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\qbthhj\jpximv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2524 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2524 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2524 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2524 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2832 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2832 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2832 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 2832 wrote to memory of 2436 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe
PID 1868 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\qbthhj\jpximv.exe
PID 1868 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\qbthhj\jpximv.exe
PID 1868 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\qbthhj\jpximv.exe
PID 1868 wrote to memory of 1752 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\qbthhj\jpximv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {2C380163-C5EC-4FC9-8982-8B3B74183619} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]

C:\ProgramData\qbthhj\jpximv.exe

C:\ProgramData\qbthhj\jpximv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5417 towerbingobongoboom.com tcp

Files

memory/2524-0-0x0000000000150000-0x0000000000618000-memory.dmp

memory/2524-1-0x00000000772C0000-0x00000000772C2000-memory.dmp

memory/2524-2-0x0000000000151000-0x000000000017F000-memory.dmp

memory/2524-3-0x0000000000150000-0x0000000000618000-memory.dmp

memory/2524-5-0x0000000000150000-0x0000000000618000-memory.dmp

\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 f75ad0aa5397c534ba69c40f736f6e11
SHA1 294190bb853c05c9603faab7cdc40b01c0e844a4
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
SHA512 7585ea3d3cfdab7e601792e5ff8441a2719f5cbb09077b4a3c1919f6b997fd583d5eb555c0afb623114f36f2aa035a45cfb2db7486b4f5a168651a1661bdc8bf

memory/2524-18-0x0000000000150000-0x0000000000618000-memory.dmp

memory/2832-20-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2524-19-0x0000000006B20000-0x0000000006FE8000-memory.dmp

memory/2832-21-0x0000000001071000-0x000000000109F000-memory.dmp

memory/2832-22-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2832-24-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2832-25-0x0000000001070000-0x0000000001538000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

MD5 ec23aa1a029ed83e876b9c9276d7c743
SHA1 af2f99ae5e09f4b40788b072ed8e2d34ff3c4a5d
SHA256 b7a31a615cfe0b31a5293cc784a8618e153100399982bf7999983e41b3f81370
SHA512 8e182ba35bb0f4bd268f08583d6cc93c3fb978b0844ee90dd203e971f07289b598cf5baf2213f86294fa69d7c2d7377d4b8603b83b212ba12b59a5e6bf2ff341

memory/2832-33-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2832-42-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2832-44-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2832-43-0x0000000006F30000-0x00000000073AF000-memory.dmp

memory/2832-46-0x0000000006F30000-0x00000000073AF000-memory.dmp

memory/2832-45-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2832-48-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2436-47-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1752-54-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 67b5852a0c055446400c7575690d9f1e
SHA1 4dd054cdbff936f4e06f82c509d41a1a5abaa74f
SHA256 326e215bd68148cc5b0d3b0efea633d2121af4f40f66a9af7ac532e8d05416b4
SHA512 a678eac244ced8d52c16dfc8f9ea3914f20bbb505c1a3cdf50979c7e0c34ee3aaebd20800e1e079b9962a92937a3d1e2d2d021f740420eb276718b064f288114

memory/2832-56-0x0000000006F30000-0x00000000073AF000-memory.dmp

memory/2832-59-0x0000000006F30000-0x00000000073AF000-memory.dmp

memory/2436-58-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-57-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2436-60-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1752-61-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1752-62-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2436-63-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-64-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2436-66-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-67-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2436-69-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-70-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-71-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2436-72-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-73-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-74-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-75-0x0000000001070000-0x0000000001538000-memory.dmp

memory/2436-76-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2436-77-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1752-78-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-79-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-80-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-81-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-82-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-83-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-84-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-85-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-86-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-87-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-88-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-89-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-90-0x0000000000400000-0x000000000087F000-memory.dmp

memory/2832-91-0x0000000001070000-0x0000000001538000-memory.dmp

memory/1752-92-0x0000000000400000-0x000000000087F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-02-27 03:18

Reported

2025-02-27 03:21

Platform

win10v2004-20250217-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

Signatures

Amadey

trojan amadey

Amadey family

amadey

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\hrff\sxfluss.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\hrff\sxfluss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\hrff\sxfluss.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\ProgramData\hrff\sxfluss.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\hrff\sxfluss.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe

"C:\Users\Admin\AppData\Local\Temp\68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

"C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\hrff\sxfluss.exe

C:\ProgramData\hrff\sxfluss.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
DE 104.194.157.122:80 104.194.157.122 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
DE 93.186.202.3:4000 towerbingobongoboom.com tcp
DE 93.186.202.3:5418 towerbingobongoboom.com tcp

Files

memory/1656-0-0x0000000000F30000-0x00000000013F8000-memory.dmp

memory/1656-1-0x00000000772F4000-0x00000000772F6000-memory.dmp

memory/1656-2-0x0000000000F31000-0x0000000000F5F000-memory.dmp

memory/1656-3-0x0000000000F30000-0x00000000013F8000-memory.dmp

memory/1656-5-0x0000000000F30000-0x00000000013F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 f75ad0aa5397c534ba69c40f736f6e11
SHA1 294190bb853c05c9603faab7cdc40b01c0e844a4
SHA256 68d67de87d8e3e8fbad2ca93d29365eb21a387f724c28c24b595360333a84221
SHA512 7585ea3d3cfdab7e601792e5ff8441a2719f5cbb09077b4a3c1919f6b997fd583d5eb555c0afb623114f36f2aa035a45cfb2db7486b4f5a168651a1661bdc8bf

memory/1656-17-0x0000000000F30000-0x00000000013F8000-memory.dmp

memory/1996-18-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/1996-19-0x00000000009E1000-0x0000000000A0F000-memory.dmp

memory/1996-20-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/1996-21-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/1996-22-0x00000000009E0000-0x0000000000EA8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\10000300101\systemdrive.exe

MD5 ec23aa1a029ed83e876b9c9276d7c743
SHA1 af2f99ae5e09f4b40788b072ed8e2d34ff3c4a5d
SHA256 b7a31a615cfe0b31a5293cc784a8618e153100399982bf7999983e41b3f81370
SHA512 8e182ba35bb0f4bd268f08583d6cc93c3fb978b0844ee90dd203e971f07289b598cf5baf2213f86294fa69d7c2d7377d4b8603b83b212ba12b59a5e6bf2ff341

memory/1996-36-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-38-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-40-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-42-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4460-41-0x0000000000401000-0x0000000000403000-memory.dmp

memory/1996-44-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-45-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4460-47-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1796-48-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-51-0x0000000000400000-0x000000000087F000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 06ab5b37fec1cc0b2952827cb98747d5
SHA1 aec5955d0475e29eb02e87ea48850a87b57a0a46
SHA256 840e215036dfa2caf14d39fcca6b5d73120c12bf18273be88ad961b6d6d6b1e4
SHA512 fcaf16176c21eccd1b56726f8ccfeee351dc63a44941a84a706b579f5a5e427e3d27689576144318926db08e9ed22aa18e61210c4740709d04732a4aab99425f

memory/1796-54-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/1996-56-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-58-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4460-59-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-60-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-61-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4348-62-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-63-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-64-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4348-65-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-66-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-67-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4348-68-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-69-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4460-70-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4348-71-0x0000000000400000-0x000000000087F000-memory.dmp

memory/4460-73-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-74-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4332-76-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4332-77-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-78-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-79-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-80-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-81-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-82-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-83-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-84-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-85-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-86-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-87-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-88-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-89-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/2844-91-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-92-0x0000000000400000-0x000000000087F000-memory.dmp

memory/1996-93-0x00000000009E0000-0x0000000000EA8000-memory.dmp

memory/4348-94-0x0000000000400000-0x000000000087F000-memory.dmp