Resubmissions
12-05-2022 21:08
220512-zzbl3sabg3 1010-05-2022 12:31
220510-pp1hcabehk 1004-05-2022 21:07
220504-zynv1shdfj 10Analysis
-
max time kernel
45s -
max time network
49s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
04-05-2022 21:07
Static task
static1
General
-
Target
15.dll
-
Size
3.7MB
-
MD5
8c85cc84e654fa7d4222e8c68dff334f
-
SHA1
9d8a1d0e1854d2f39e012b39df4651cb11663ca4
-
SHA256
897bf7aaeee44df44e04fb6b0a276d0be76298569252fe157a39d6071a17631c
-
SHA512
d0e57b9617c9decab2542b4eec79da7191c4e381d4915b2ce5aa6ab71f1e7b7b8597869563a9219ca1b6fe177e50e392e2d44cf835f9f012d5b129b736f18d7e
Malware Config
Extracted
Family
bumblebee
C2
23.82.128.149:443
108.62.12.203:443
Attributes
-
group_id
mc405
BLACK
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Wine rundll32.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe 976 rundll32.exe