Malware Analysis Report

2025-04-03 09:30

Sample ID 250302-pg3mqsvlw5
Target 73636685f823d103c54b30bc457c7f0d.exe
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
Tags
a4d2cd amadey systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c

Threat Level: Known bad

The file 73636685f823d103c54b30bc457c7f0d.exe was found to be: Known bad.

Malicious Activity Summary

a4d2cd amadey systembc defense_evasion discovery trojan

SystemBC

Amadey family

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Checks BIOS information in registry

Checks computer location settings

Executes dropped EXE

Identifies Wine through registry keys

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-02 12:18

Signatures

Amadey family

amadey

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-02 12:18

Reported

2025-03-02 12:21

Platform

win7-20240903-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\lvpde\fvgabvv.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\lvpde\fvgabvv.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\lvpde\fvgabvv.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine C:\ProgramData\lvpde\fvgabvv.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\lvpde\fvgabvv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\lvpde\fvgabvv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\lvpde\fvgabvv.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2260 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2260 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2260 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2988 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe
PID 2384 wrote to memory of 2388 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\lvpde\fvgabvv.exe
PID 2384 wrote to memory of 2388 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\lvpde\fvgabvv.exe
PID 2384 wrote to memory of 2388 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\lvpde\fvgabvv.exe
PID 2384 wrote to memory of 2388 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\lvpde\fvgabvv.exe

Processes

C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

"C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {B50D77EF-D78F-4E31-868C-08A0AC66C5B8} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]

C:\ProgramData\lvpde\fvgabvv.exe

C:\ProgramData\lvpde\fvgabvv.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4458 towerbingobongoboom.com tcp

Files

memory/2260-1-0x0000000000540000-0x0000000000541000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

MD5 9218e5cad03c752f237ed87a9e52def4
SHA1 0ccddab0d87776d78c613c6e7a6f3bce93ffc3d3
SHA256 833610e95cc965e70096620e0adaa8917963df9f9ec56e00af1ff331161a7971
SHA512 4ca94c23bf82bee5ff5a7f7e318e99c084f7403cdc2e23276087f55620f9e9f988a7a6816fedcd2f853a21fe645c3cc89f7b2f6f05f792b549fd698fd14f5cb3

memory/2988-26-0x0000000004320000-0x0000000004776000-memory.dmp

memory/2988-28-0x0000000004320000-0x0000000004776000-memory.dmp

memory/2812-27-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-29-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-32-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2988-34-0x0000000004320000-0x0000000004776000-memory.dmp

memory/2812-35-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-36-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-37-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-38-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-39-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-40-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-41-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-44-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 ea4e49061e46ff1f883a5a0057f6d158
SHA1 4b42aab80bcfacfc6619ce6659b202509dfaba6a
SHA256 e2847adf2647e771a2649dfb0871210440130607594a415401612c327c8a5c55
SHA512 d776bc43106db21db1114582f4d9819d4fc9d01c1e919b159ec9494298363a0a1f28ef43aea079340e0685b3bf14800cc68acc7272147a67d03bca8bf1da0b85

memory/2812-46-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2812-47-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-48-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-49-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-50-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-51-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-52-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-53-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-54-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-55-0x0000000000400000-0x0000000000856000-memory.dmp

memory/2388-56-0x0000000000400000-0x0000000000856000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-02 12:18

Reported

2025-03-02 12:21

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\qxkkec\hpams.exe N/A

Downloads MZ/PE file

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\qxkkec\hpams.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\qxkkec\hpams.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3181990009-820930284-137514597-1000\Software\Wine C:\ProgramData\qxkkec\hpams.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\qxkkec\hpams.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Gxtuum.job C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\qxkkec\hpams.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe N/A
N/A N/A C:\ProgramData\qxkkec\hpams.exe N/A
N/A N/A C:\ProgramData\qxkkec\hpams.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe

"C:\Users\Admin\AppData\Local\Temp\73636685f823d103c54b30bc457c7f0d.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

"C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

"C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe"

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\ProgramData\qxkkec\hpams.exe

C:\ProgramData\qxkkec\hpams.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 cobolrationumelawrtewarms.com udp
NL 107.189.27.66:80 cobolrationumelawrtewarms.com tcp
LU 45.59.120.8:80 45.59.120.8 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4784 towerbingobongoboom.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\a58456755d\Gxtuum.exe

MD5 73636685f823d103c54b30bc457c7f0d
SHA1 597dba03dce00cf6d30b082c80c8f9108ae90ccf
SHA256 1edc123e5a8ea5ce814e2759ee38453404d4af72a3577b0af55e8d99fa38ef1c
SHA512 183d4901a72afc044ef13c3a2cc21f93aefd954665f981c7886afc9019ca7d46f76b3459789dff5721542f2f9e7bbf606d7df68328e772e4c66dc789964f43f7

C:\Users\Admin\AppData\Roaming\10000550100\rundrive.exe

MD5 9218e5cad03c752f237ed87a9e52def4
SHA1 0ccddab0d87776d78c613c6e7a6f3bce93ffc3d3
SHA256 833610e95cc965e70096620e0adaa8917963df9f9ec56e00af1ff331161a7971
SHA512 4ca94c23bf82bee5ff5a7f7e318e99c084f7403cdc2e23276087f55620f9e9f988a7a6816fedcd2f853a21fe645c3cc89f7b2f6f05f792b549fd698fd14f5cb3

memory/1048-26-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1048-29-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1048-30-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1048-31-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1048-32-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1048-33-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-37-0x0000000000400000-0x0000000000856000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 3b42008da160ae400e9e1802034fd7f3
SHA1 1700215588eaa86ef26ac93e477fe0b1d8adba85
SHA256 658bc6360a14a2b541dec549e61cc1e71f56520811e5eda6eff430661192925a
SHA512 1a80212b85e4c256aae83564305c72218b76897575185b533fca73cf68ce09b85a1cf48ed28a1591745da19fb022a6b74b81700986cc12418086b6525c034e4c

memory/1048-39-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1048-41-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-42-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-43-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-44-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-45-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-46-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-48-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-49-0x0000000000400000-0x0000000000856000-memory.dmp

memory/1824-50-0x0000000000400000-0x0000000000856000-memory.dmp