Malware Analysis Report

2025-04-03 09:30

Sample ID 250302-pedwlatye1
Target 73636685f823d103c54b30bc457c7f0d.exe
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
Tags
a4d2cd amadey systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

Threat Level: Known bad

The file 73636685f823d103c54b30bc457c7f0d.exe was found to be: Known bad.

Malicious Activity Summary

a4d2cd amadey systembc defense_evasion discovery trojan

Amadey family

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Checks computer location settings

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-02 12:14

Signatures

Amadey family

amadey

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-02 12:14

Reported

2025-03-02 12:16

Platform

win7-20240903-en

Max time kernel

146s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\tahpbpt\iiko.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\tahpbpt\iiko.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\tahpbpt\iiko.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine C:\ProgramData\tahpbpt\iiko.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\tahpbpt\iiko.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\tahpbpt\iiko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\tahpbpt\iiko.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2096 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2096 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2096 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 1668 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 1668 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 1668 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 1668 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 348 wrote to memory of 2052 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tahpbpt\iiko.exe
PID 348 wrote to memory of 2052 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tahpbpt\iiko.exe
PID 348 wrote to memory of 2052 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tahpbpt\iiko.exe
PID 348 wrote to memory of 2052 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\tahpbpt\iiko.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

"C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {7003B891-D467-493F-AF77-CD1F882D6E03} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]

C:\ProgramData\tahpbpt\iiko.exe

C:\ProgramData\tahpbpt\iiko.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4458 towerbingobongoboom.com tcp

Files

memory/2096-1-0x0000000000210000-0x0000000000211000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

MD5 9218e5cad03c752f237ed87a9e52def4
SHA1 0ccddab0d87776d78c613c6e7a6f3bce93ffc3d3
SHA256 833610e95cc965e70096620e0adaa8917963df9f9ec56e00af1ff331161a7971
SHA512 4ca94c23bf82bee5ff5a7f7e318e99c084f7403cdc2e23276087f55620f9e9f988a7a6816fedcd2f853a21fe645c3cc89f7b2f6f05f792b549fd698fd14f5cb3

memory/1668-25-0x0000000004460000-0x00000000048B6000-memory.dmp

memory/2860-28-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1668-27-0x0000000004460000-0x00000000048B6000-memory.dmp

memory/2860-29-0x0000000077B30000-0x0000000077B32000-memory.dmp

memory/2860-33-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-30-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2860-35-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-36-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-37-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-38-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-39-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-40-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-43-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 ebe8caed29bf8ef7326a472bb30fd084
SHA1 0ec0eadbda6ab4f93fbf8431666b206b481519dd
SHA256 8afd1e1e78d7472991a614a870811ecf27a337a5826f5c97c5e078086187b290
SHA512 348502ab3de75561f372ddb2933dadecbdc3d6620d91d5459a1dd200113162c67b8af9ca4356831f619f05f25f028e6cc6be2c4f7b18ad1da07962e00df946d6

memory/2860-45-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-46-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-47-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-48-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-49-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2860-51-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-53-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-54-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-55-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-56-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-57-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-58-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-59-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2052-60-0x0000000000400000-0x0000000000856000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-02 12:14

Reported

2025-03-02 12:16

Platform

win10v2004-20250217-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\vhmsjp\uqlg.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\vhmsjp\uqlg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\vhmsjp\uqlg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Wine C:\ProgramData\vhmsjp\uqlg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\vhmsjp\uqlg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\vhmsjp\uqlg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\vhmsjp\uqlg.exe N/A
N/A N/A C:\ProgramData\vhmsjp\uqlg.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

"C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe"

C:\ProgramData\vhmsjp\uqlg.exe

C:\ProgramData\vhmsjp\uqlg.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4784 towerbingobongoboom.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

MD5 9218e5cad03c752f237ed87a9e52def4
SHA1 0ccddab0d87776d78c613c6e7a6f3bce93ffc3d3
SHA256 833610e95cc965e70096620e0adaa8917963df9f9ec56e00af1ff331161a7971
SHA512 4ca94c23bf82bee5ff5a7f7e318e99c084f7403cdc2e23276087f55620f9e9f988a7a6816fedcd2f853a21fe645c3cc89f7b2f6f05f792b549fd698fd14f5cb3

memory/4556-25-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-26-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-27-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-30-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-31-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-32-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-33-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-34-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-35-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-36-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-39-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 553c47c4078bfeab9670f95eb2afe16d
SHA1 acd7e9c589a25790581795934264b754e7551ed8
SHA256 0ba71132a0e00f75a209c0c2ce6c70e430bef0f548b5c443a6f845333662f7a8
SHA512 89aae8408bcb049c56c64fa5f9f3cf6d6a74e4f7c24ae4f5a234b46027abad6b854601df13748a9e8189e9a0275e721dd802b38b5f2d102dbccf1caae236d8c6

memory/4556-42-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-43-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-44-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-45-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-46-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-47-0x0000000000400000-0x0000000000856000-memory.dmp

memory/4556-48-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-49-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-50-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-51-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-53-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-54-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-55-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-56-0x0000000000400000-0x0000000000856000-memory.dmp

memory/5016-57-0x0000000000400000-0x0000000000856000-memory.dmp