Analysis
-
max time kernel
77s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
06/05/2022, 20:35
General
-
Target
kiol5.dll
-
Size
3.7MB
-
MD5
6b893e5b5a93f937052dd9fb2c3cf2e1
-
SHA1
3f62cfb46538a1d4b00a0a7cbbd74d1f96fdbb34
-
SHA256
592bca0ed73c7705815562d5dc3716bdfd6558b0e3ced8c90e93acfdf6f03b58
-
SHA512
5eae69c68f422b59095bb7a5701c97348ffb0d70b3724f160fa87917eb4d4c5bbbe467363afd5c846b4abf7caa3db8e9721d51f078f5c565ec6bd380fd64df62
Score
10/10
Malware Config
Extracted
Family
bumblebee
C2
64.44.141.177:443
104.168.218.225:443
68.233.238.126:443
206.54.190.170:443
23.83.133.13:443
Attributes
-
group_id
0605r
9Ydun9zWUm
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\kiol5.dll,#11⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
-
Filesize
64KB