Analysis Overview
SHA256
dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe was found to be: Known bad.
Malicious Activity Summary
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Identifies Wine through registry keys
Executes dropped EXE
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-03-05 13:23
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2025-03-05 13:23
Reported
2025-03-05 13:26
Platform
win10v2004-20250217-en
Max time kernel
148s
Max time network
142s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\gededle\kjiknxf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Wine | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| N/A | N/A | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| N/A | N/A | C:\ProgramData\gededle\kjiknxf.exe | N/A |
| N/A | N/A | C:\ProgramData\gededle\kjiknxf.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"
C:\ProgramData\gededle\kjiknxf.exe
C:\ProgramData\gededle\kjiknxf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4249 | towerbingobongoboom.com | tcp |
Files
memory/5024-0-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-1-0x0000000077D44000-0x0000000077D46000-memory.dmp
memory/5024-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/5024-3-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-6-0x0000000000400000-0x0000000000823000-memory.dmp
C:\ProgramData\gededle\kjiknxf.exe
| MD5 | 8c767708c9a9554c0afb504629e75ffd |
| SHA1 | c65394806c0f77af880c7ff8a021bd4222ca3f11 |
| SHA256 | dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d |
| SHA512 | f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16 |
memory/2116-10-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-9-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | e1b2555ee154babda1db731898bf2113 |
| SHA1 | 1fec0a1b93e07d9fa73b3dd5512c96c65aafdd27 |
| SHA256 | 639a7f46e5b167bdc22050a74296fa3484423314bc9442d11fecfa10aea012dd |
| SHA512 | 3769e92ed3336c11df052d67da3ba186140e5217efd2d683759adb3bd066a160b099b7f8e26f362aa2dd42185db2c2aef704b3bedc8a168ef3fef328ca7c9d18 |
memory/2116-12-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-13-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-15-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-16-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-17-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-18-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-19-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-20-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-21-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-22-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-23-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-24-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-25-0x0000000000400000-0x0000000000823000-memory.dmp
memory/5024-27-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-28-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-29-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-30-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-31-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-32-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-33-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-34-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-35-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2116-36-0x0000000000400000-0x0000000000823000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-03-05 13:23
Reported
2025-03-05 13:26
Platform
win7-20240903-en
Max time kernel
148s
Max time network
140s
Command Line
Signatures
SystemBC
Systembc family
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\ProgramData\nenpjl\afmu.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\ProgramData\nenpjl\afmu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\ProgramData\nenpjl\afmu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\nenpjl\afmu.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Wine | C:\ProgramData\nenpjl\afmu.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| N/A | N/A | C:\ProgramData\nenpjl\afmu.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Test Task17.job | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\nenpjl\afmu.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe | N/A |
| N/A | N/A | C:\ProgramData\nenpjl\afmu.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2732 wrote to memory of 2808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\nenpjl\afmu.exe |
| PID 2732 wrote to memory of 2808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\nenpjl\afmu.exe |
| PID 2732 wrote to memory of 2808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\nenpjl\afmu.exe |
| PID 2732 wrote to memory of 2808 | N/A | C:\Windows\system32\taskeng.exe | C:\ProgramData\nenpjl\afmu.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MulDrop29.15967.25640.16156.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {67060C41-8D9D-42E1-8A5E-11F7351700E4} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
C:\ProgramData\nenpjl\afmu.exe
C:\ProgramData\nenpjl\afmu.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | towerbingobongoboom.com | udp |
| US | 213.209.150.137:4000 | towerbingobongoboom.com | tcp |
| US | 213.209.150.137:4227 | towerbingobongoboom.com | tcp |
Files
memory/3020-0-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-1-0x0000000077700000-0x0000000077702000-memory.dmp
memory/3020-2-0x0000000000401000-0x0000000000403000-memory.dmp
memory/3020-4-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-6-0x0000000000400000-0x0000000000823000-memory.dmp
C:\ProgramData\nenpjl\afmu.exe
| MD5 | 8c767708c9a9554c0afb504629e75ffd |
| SHA1 | c65394806c0f77af880c7ff8a021bd4222ca3f11 |
| SHA256 | dcb373f73cc5e29881b6c97f753da1db91becee01b5eade03b0fd217d10b4e7d |
| SHA512 | f9531159b45f92db319f351ebf4dadf9ba3c413e87da401a0af81d25a446084ed30dee670462292b989e1c9b0074a3c2ae76bb8a1d992e4407f72360303b4e16 |
memory/2808-9-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-10-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-11-0x0000000000400000-0x0000000000823000-memory.dmp
C:\Windows\Tasks\Test Task17.job
| MD5 | 83e0683daf1c1325854d01136815b118 |
| SHA1 | 0a5d3db62b1f12d8c9e29e8d3f77d50dd03e2fd3 |
| SHA256 | 7a7a7f8587dfafddc99ac19cf2865ba7a64c63aac2aaeae528db769aa55e191a |
| SHA512 | ff296d2039735803d29fa6a09473adc5e4b24d6936f36d5141312fb71e8f0ef1dc78aeb0cfc9c370e21d022be5fb4525a7447d27dba1f449d9a217097da1bafb |
memory/2808-13-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-14-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-15-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-16-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-17-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-18-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-19-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-20-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-21-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-22-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-23-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-24-0x0000000000400000-0x0000000000823000-memory.dmp
memory/3020-25-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-27-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-28-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-29-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-30-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-31-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-32-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-33-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-34-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-35-0x0000000000400000-0x0000000000823000-memory.dmp
memory/2808-36-0x0000000000400000-0x0000000000823000-memory.dmp