Analysis
-
max time kernel
11s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
09/06/2022, 08:25
General
-
Target
denev3r.dll
-
Size
1.6MB
-
MD5
69cd7700a687c190dcf824fee2a022b0
-
SHA1
2ee9d9dbca105772c8320ef4bfd437d9bf6664d0
-
SHA256
21bd2c88898f8fea3ba9dddb1c9e3cfb8f279d884099830dbda16acdde273587
-
SHA512
77b12b707ea334cde153a526d879086068f4134178b190b466e48c9c439828087a32187601879a095afeea33923a37de2345804b6c8d5eb478e45a28c0c0db25
Malware Config
Extracted
bumblebee
7rr
103.175.16.107:443
194.135.33.149:443
154.56.0.241:443
23.254.201.97:443
45.147.229.101:443
185.62.58.169:443
192.236.249.68:443
193.239.84.254:443
37.120.198.248:443
146.19.173.139:443
46.21.153.145:443
149.255.35.134:443
45.147.229.50:443
212.114.52.46:443
103.175.16.122:443
146.19.253.49:443
68.233.238.105:443
64.44.135.250:443
103.175.16.121:443
64.44.102.6:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\denev3r.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB