Malware Analysis Report

2025-04-03 09:34

Sample ID 250305-an35hstqw6
Target reloadrive.exe
SHA256 dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
Tags
systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

Threat Level: Known bad

The file reloadrive.exe was found to be: Known bad.

Malicious Activity Summary

systembc defense_evasion discovery trojan

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 00:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 00:22

Reported

2025-03-05 00:25

Platform

win11-20250217-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\reloadrive.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\spocme\cbqwceq.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\spocme\cbqwceq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\spocme\cbqwceq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\spocme\cbqwceq.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Wine C:\ProgramData\spocme\cbqwceq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whoer.net N/A N/A
N/A whoer.net N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
N/A N/A C:\ProgramData\spocme\cbqwceq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\spocme\cbqwceq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\reloadrive.exe N/A
N/A N/A C:\ProgramData\spocme\cbqwceq.exe N/A
N/A N/A C:\ProgramData\spocme\cbqwceq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\reloadrive.exe

"C:\Users\Admin\AppData\Local\Temp\reloadrive.exe"

C:\ProgramData\spocme\cbqwceq.exe

C:\ProgramData\spocme\cbqwceq.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4644 towerbingobongoboom.com tcp
SE 142.250.74.46:80 142.250.74.46 tcp
US 104.18.35.25:443 tcp
US 208.74.123.84:443 tcp
US 208.74.123.84:443 tcp
US 66.94.113.90:80 66.94.113.90 tcp
GB 216.58.213.3:443 update.googleapis.com tcp
US 8.8.8.8:53 en.wikipedia.org udp
US 8.8.8.8:53 www.tiktok.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.ixbrowser.com udp
US 8.8.8.8:53 whoer.net udp
US 8.8.8.8:53 www.amazon.com udp
GB 142.250.187.206:443 clients2.google.com tcp
GB 163.70.147.35:443 www.facebook.com tcp
US 104.26.2.223:443 whoer.net tcp
US 66.94.113.90:80 www.ixbrowser.com tcp
GB 104.91.71.143:443 www.tiktok.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 185.15.59.224:443 en.wikipedia.org tcp
IE 13.224.69.51:443 www.amazon.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.187.206:443 clients2.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
IE 13.224.69.51:443 www.amazon.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 104.18.114.47:443 fiverr.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
NL 142.250.27.84:443 accounts.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 104.18.113.47:443 fiverr.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 142.250.200.10:443 ogads-pa.clients6.google.com tcp
GB 142.250.200.46:443 play.google.com tcp
GB 142.250.200.46:443 play.google.com tcp

Files

memory/3900-0-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-1-0x0000000076ED6000-0x0000000076ED8000-memory.dmp

memory/3900-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/3900-3-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-6-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-7-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-8-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-9-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-10-0x0000000000400000-0x0000000000823000-memory.dmp

C:\ProgramData\spocme\cbqwceq.exe

MD5 8c767708c9a9554c0afb504629e75ffd
SHA1 c65394806c0f77af880c7ff8a021bd4222ca3f11
SHA256 dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
SHA512 f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16

memory/2416-13-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-14-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 f904f933c6aef90e12e764caa13a1035
SHA1 d682a97cfd483f789c9792cc649962b1a3e8e4eb
SHA256 5e1bf1ab27520e6cbe27767dd27dd8724cc5bf5c7d5ef35d21d833d59b1026c9
SHA512 7721d7812d34741a55d55f935dc277485ca287730ef4fbd6fa7c92823f1031cdf94c5c71cec30c8cc12b28c8da3afdfc1481d56216be3921c26e06dbbf8cc333

memory/2416-16-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-17-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-18-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-19-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-20-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-21-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-22-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-23-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-24-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-25-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-26-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-27-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-28-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3900-29-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-30-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-31-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-32-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-33-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-34-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-35-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-36-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-37-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2416-38-0x0000000000400000-0x0000000000823000-memory.dmp