Analysis Overview
SHA256
dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
Threat Level: Known bad
The file reloadrive.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Identifies Wine through registry keys
Checks BIOS information in registry
Executes dropped EXE
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 00:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 00:22
Reported
2025-03-05 00:25
Platform
win11-20250217-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\spocme\cbqwceq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-112184765-1670301065-1210615588-1000\Software\Wine | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whoer.net | N/A | N/A |
| N/A | whoer.net | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| N/A | N/A | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\reloadrive.exe | N/A |
| N/A | N/A | C:\ProgramData\spocme\cbqwceq.exe | N/A |
| N/A | N/A | C:\ProgramData\spocme\cbqwceq.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\reloadrive.exe
"C:\Users\Admin\AppData\Local\Temp\reloadrive.exe"
C:\ProgramData\spocme\cbqwceq.exe
C:\ProgramData\spocme\cbqwceq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4644 | towerbingobongoboom.com | tcp |
| SE | 142.250.74.46:80 | 142.250.74.46 | tcp |
| US | 104.18.35.25:443 | tcp | |
| US | 208.74.123.84:443 | tcp | |
| US | 208.74.123.84:443 | tcp | |
| US | 66.94.113.90:80 | 66.94.113.90 | tcp |
| GB | 216.58.213.3:443 | update.googleapis.com | tcp |
| US | 8.8.8.8:53 | en.wikipedia.org | udp |
| US | 8.8.8.8:53 | www.tiktok.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.ixbrowser.com | udp |
| US | 8.8.8.8:53 | whoer.net | udp |
| US | 8.8.8.8:53 | www.amazon.com | udp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| GB | 163.70.147.35:443 | www.facebook.com | tcp |
| US | 104.26.2.223:443 | whoer.net | tcp |
| US | 66.94.113.90:80 | www.ixbrowser.com | tcp |
| GB | 104.91.71.143:443 | www.tiktok.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| NL | 185.15.59.224:443 | en.wikipedia.org | tcp |
| IE | 13.224.69.51:443 | www.amazon.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 142.250.187.206:443 | clients2.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| IE | 13.224.69.51:443 | www.amazon.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 104.18.114.47:443 | fiverr.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| NL | 142.250.27.84:443 | accounts.google.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| US | 104.18.113.47:443 | fiverr.com | tcp |
| GB | 216.58.204.68:443 | www.google.com | tcp |
| GB | 142.250.200.10:443 | ogads-pa.clients6.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
| GB | 142.250.200.46:443 | play.google.com | tcp |
Files
memory/3900-0-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-1-0x0000000076ED6000-0x0000000076ED8000-memory.dmp
memory/3900-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/3900-3-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-6-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-7-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-8-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-9-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-10-0x0000000000400000-0x0000000000823000-memory.dmp
C:\ProgramData\spocme\cbqwceq.exe
| MD5 | 8c767708c9a9554c0afb504629e75ffd |
| SHA1 | c65394806c0f77af880c7ff8a021bd4222ca3f11 |
| SHA256 | dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d |
| SHA512 | f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16 |
memory/2416-13-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-14-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | f904f933c6aef90e12e764caa13a1035 |
| SHA1 | d682a97cfd483f789c9792cc649962b1a3e8e4eb |
| SHA256 | 5e1bf1ab27520e6cbe27767dd27dd8724cc5bf5c7d5ef35d21d833d59b1026c9 |
| SHA512 | 7721d7812d34741a55d55f935dc277485ca287730ef4fbd6fa7c92823f1031cdf94c5c71cec30c8cc12b28c8da3afdfc1481d56216be3921c26e06dbbf8cc333 |
memory/2416-16-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-17-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-18-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-19-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-20-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-21-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-22-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-23-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-24-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-25-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-26-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-27-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-28-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3900-29-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-30-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-31-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-32-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-33-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-34-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-35-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-36-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-37-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2416-38-0x0000000000400000-0x0000000000823000-memory.dmp