Malware Analysis Report

2025-04-03 09:18

Sample ID 250306-zf2zxsw1gw
Target cubrodriver.exe
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
Tags
systembc defense_evasion discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131

Threat Level: Known bad

The file cubrodriver.exe was found to be: Known bad.

Malicious Activity Summary

systembc defense_evasion discovery trojan

SystemBC

Systembc family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Identifies Wine through registry keys

Checks BIOS information in registry

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-06 20:40

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-06 20:40

Reported

2025-03-06 20:42

Platform

win10v2004-20250217-en

Max time kernel

144s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\stibv\abeino.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\stibv\abeino.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\stibv\abeino.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\stibv\abeino.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\ProgramData\stibv\abeino.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
N/A N/A C:\ProgramData\stibv\abeino.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\stibv\abeino.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
N/A N/A C:\ProgramData\stibv\abeino.exe N/A
N/A N/A C:\ProgramData\stibv\abeino.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe

"C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe"

C:\ProgramData\stibv\abeino.exe

C:\ProgramData\stibv\abeino.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4361 towerbingobongoboom.com tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1840-0-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-1-0x00000000773A4000-0x00000000773A6000-memory.dmp

memory/1840-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/1840-3-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-6-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-7-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-9-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-10-0x0000000000400000-0x0000000000840000-memory.dmp

C:\ProgramData\stibv\abeino.exe

MD5 190272ebd2e82a80b242b1bdd442b859
SHA1 fceb12a205c28c30b2049c55924a9872a1a3eb71
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
SHA512 f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

memory/2288-13-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-14-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-15-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 e57a5814a546cb57cf9b52b6b509b7a0
SHA1 22fc9beb57fa3e0197da2cdbd3801a2d727c045a
SHA256 7af07e5448d3a288d9d360db9773c1bb2e14285bab991dec794750431a4687a6
SHA512 e755aaa1f9c1646d148692bca111f3b0fcbb9aa140d2a11794ce48a30ffe5f3cb421ffaac822e38c47a19eef5308a1fae2c1c336a1ddefb128f7f7b1619b92ab

memory/1840-17-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-18-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-19-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-20-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-21-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-22-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-23-0x0000000000400000-0x0000000000840000-memory.dmp

memory/1840-25-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-26-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-27-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-28-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-29-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-30-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-31-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-32-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-33-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2288-34-0x0000000000400000-0x0000000000840000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-06 20:40

Reported

2025-03-06 20:42

Platform

win7-20240729-en

Max time kernel

144s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe"

Signatures

SystemBC

trojan systembc

Systembc family

systembc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\ProgramData\ehlh\itcub.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\ProgramData\ehlh\itcub.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\ProgramData\ehlh\itcub.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ehlh\itcub.exe N/A

Identifies Wine through registry keys

defense_evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Wine C:\ProgramData\ehlh\itcub.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
N/A N/A C:\ProgramData\ehlh\itcub.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Test Task17.job C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ProgramData\ehlh\itcub.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe N/A
N/A N/A C:\ProgramData\ehlh\itcub.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2572 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\ehlh\itcub.exe
PID 2572 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\ehlh\itcub.exe
PID 2572 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\ehlh\itcub.exe
PID 2572 wrote to memory of 2436 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\ehlh\itcub.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe

"C:\Users\Admin\AppData\Local\Temp\cubrodriver.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {90A41DA8-8A1A-4373-8399-9C4D2A538C52} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]

C:\ProgramData\ehlh\itcub.exe

C:\ProgramData\ehlh\itcub.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 towerbingobongoboom.com udp
US 213.209.150.137:4000 towerbingobongoboom.com tcp
US 213.209.150.137:4151 towerbingobongoboom.com tcp

Files

memory/2668-0-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-1-0x0000000077200000-0x0000000077202000-memory.dmp

memory/2668-2-0x0000000000401000-0x0000000000403000-memory.dmp

memory/2668-4-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-6-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-7-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-8-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-9-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-10-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-11-0x0000000000400000-0x0000000000840000-memory.dmp

C:\ProgramData\ehlh\itcub.exe

MD5 190272ebd2e82a80b242b1bdd442b859
SHA1 fceb12a205c28c30b2049c55924a9872a1a3eb71
SHA256 c13d59dc2e8ee1cbdb8016de0fb3b374f827406fa5d2d1aa4a2820170816d131
SHA512 f3b30d8ea2dd2c451a042b4ed7a9e98d2bcfbb86a88bec2d672a3e1ae6ab3932daf8987eef872e6adb11144f92b9954ac6f6ce67e24a2bc391d7b34ebef876ae

memory/2436-14-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-15-0x0000000000400000-0x0000000000840000-memory.dmp

C:\Windows\Tasks\Test Task17.job

MD5 4e8b38d5c8b68f3da9b21f7516de5b7e
SHA1 81db85f27483d00e2bd50e8d70697fd78d396464
SHA256 11aa4c103fbcfbe7d0fc148ec4b389893cade67279314d9ecea9a773cc58a7d8
SHA512 3c2fe4699dd44fba9d3c2a9f346294aad0f83e83a55c0ebfb8c59b0a8a43fb523ee606f08eb6128cf71ac8c3a161cb367526d9db9bf60d7099178b42640e088b

memory/2436-17-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-19-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-18-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-20-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-21-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-22-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-23-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-24-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2668-25-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-26-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-27-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-28-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-29-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-30-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-31-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-32-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-33-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-34-0x0000000000400000-0x0000000000840000-memory.dmp

memory/2436-35-0x0000000000400000-0x0000000000840000-memory.dmp