Malware Analysis Report

2025-04-03 09:30

Sample ID 250305-qm8xdazsbw
Target SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
SHA256 dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
Tags
systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d

Threat Level: Known bad

The file SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe was found to be: Known bad.

Malicious Activity Summary

systembc defense_evasion discovery trojan

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Identifies Wine through registry keys

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-05 13:23

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-05 13:23

Reported

2025-03-05 13:26

Platform

win10v2004-20250217-en

Max time kernel

148s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\gededle\kjiknxf.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\gededle\kjiknxf.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\gededle\kjiknxf.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\gededle\kjiknxf.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine C:\ProgramData\gededle\kjiknxf.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
N/A N/A C:\ProgramData\gededle\kjiknxf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\gededle\kjiknxf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"

C:\ProgramData\gededle\kjiknxf.exe

C:\ProgramData\gededle\kjiknxf.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4249 towerbingobongoboom.com tcp

Files

memory/5024-0-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-1-0x0000000077D44000-0x0000000077D46000-memory.dmp

memory/5024-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/5024-3-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-6-0x0000000000400000-0x0000000000823000-memory.dmp

C:\ProgramData\gededle\kjiknxf.exe

MD5 8c767708c9a9554c0afb504629e75ffd
SHA1 c65394806c0f77af880c7ff8a021bd4222ca3f11
SHA256 dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
SHA512 f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16

memory/2116-10-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-9-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 e1b2555ee154babda1db731898bf2113
SHA1 1fec0a1b93e07d9fa73b3dd5512c96c65aafdd27
SHA256 639a7f46e5b167bdc22050a74296fa3484423314bc9442d11fecfa10aea012dd
SHA512 3769e92ed3336c11df052d67da3ba186140e5217efd2d683759adb3bd066a160b099b7f8e26f362aa2dd42185db2c2aef704b3bedc8a168ef3fef328ca7c9d18

memory/2116-12-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-13-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-15-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-16-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-17-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-18-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-19-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-20-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-21-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-22-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-23-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-24-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-25-0x0000000000400000-0x0000000000823000-memory.dmp

memory/5024-27-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-28-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-29-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-30-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-31-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-32-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-33-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-34-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-35-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2116-36-0x0000000000400000-0x0000000000823000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-05 13:23

Reported

2025-03-05 13:26

Platform

win7-20240903-en

Max time kernel

148s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\nenpjl\afmu.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\nenpjl\afmu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\nenpjl\afmu.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\nenpjl\afmu.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine C:\ProgramData\nenpjl\afmu.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
N/A N/A C:\ProgramData\nenpjl\afmu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\nenpjl\afmu.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe N/A
N/A N/A C:\ProgramData\nenpjl\afmu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nenpjl\afmu.exe
PID 2732 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nenpjl\afmu.exe
PID 2732 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nenpjl\afmu.exe
PID 2732 wrote to memory of 2808 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\nenpjl\afmu.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {67060C41-8D9D-42E1-8A5E-11F7351700E4} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]

C:\ProgramData\nenpjl\afmu.exe

C:\ProgramData\nenpjl\afmu.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4227 towerbingobongoboom.com tcp

Files

memory/3020-0-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-1-0x0000000077700000-0x0000000077702000-memory.dmp

memory/3020-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/3020-4-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-6-0x0000000000400000-0x0000000000823000-memory.dmp

C:\ProgramData\nenpjl\afmu.exe

MD5 8c767708c9a9554c0afb504629e75ffd
SHA1 c65394806c0f77af880c7ff8a021bd4222ca3f11
SHA256 dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
SHA512 f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16

memory/2808-9-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-10-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-11-0x0000000000400000-0x0000000000823000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 83e0683daf1c1325854d01136815b118
SHA1 0a5d3db62b1f12d8c9e29e8d3f77d50dd03e2fd3
SHA256 7a7a7f8587dfafddc99ac19cf2865ba7a64c63aac2aaeae528db769aa55e191a
SHA512 ff296d2039735803d29fa6a09473adc5e4b24d6936f36d5141312fb71e8f0ef1dc78aeb0cfc9c370e21d022be5fb4525a7447d27dba1f449d9a217097da1bafb

memory/2808-13-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-14-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-15-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-16-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-17-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-18-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-19-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-20-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-21-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-22-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-23-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-24-0x0000000000400000-0x0000000000823000-memory.dmp

memory/3020-25-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-27-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-28-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-29-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-30-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-31-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-32-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-33-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-34-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-35-0x0000000000400000-0x0000000000823000-memory.dmp

memory/2808-36-0x0000000000400000-0x0000000000823000-memory.dmp