Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
09-05-2022 19:46
Static task
static1
Behavioral task
behavioral1
Sample
ramest.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ramest.dll
Resource
win10v2004-20220414-en
General
-
Target
ramest.dll
-
Size
1.3MB
-
MD5
485b65ea3f28d1cd17cd4339662e048a
-
SHA1
13da23476ed7c8211fa49380176eabb17c1a9408
-
SHA256
4c9ffef418385fdd0aa0e6ea1c0e29f3a7a4af51fbcfd011d0797d6e62c8ccfe
-
SHA512
5a7ec093b452a26755b5a64b5606a9ae05710199a23d63cdde571d5c00a80efd8646d35c5775a8234f155ee011ef8c3a12a3c64669525d6397f200d5fef961f0
Malware Config
Extracted
bumblebee
0905r
23.227.203.120:443
51.83.253.244:443
23.227.198.195:443
146.70.106.92:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\SOFTWARE\Wine rundll32.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe 1592 rundll32.exe