Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
11/06/2022, 12:15
Static task
static1
Behavioral task
behavioral1
Sample
69kwq90.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
69kwq90.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
documents.lnk
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
documents.lnk
-
Size
1KB
-
MD5
ce056650c27a20d66184651450d7c989
-
SHA1
7752f3b03c95020958032daec1aebf16aca9eae5
-
SHA256
83b4471ad3049c8b8b6fed5231de4a93add014dfd4b46ff4d207c5a35602667e
-
SHA512
8e498ee2413fe9d0034ce70d1e83ef1d36ca137c9af2d8263d74a30d2a26f2516084db97066359f599392197a0c35a1d231142213f8cdad90131e2ff5169cf2a
Malware Config
Extracted
Family
bumblebee
Botnet
2704r
C2
108.62.118.61:443
23.227.198.217:443
89.44.9.135:443
rc4.plain
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Wine rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe 1872 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4776 wrote to memory of 5064 4776 cmd.exe 80 PID 4776 wrote to memory of 5064 4776 cmd.exe 80 PID 5064 wrote to memory of 1872 5064 cmd.exe 81 PID 5064 wrote to memory of 1872 5064 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start rundll32.exe 69kwq90.dll,ZmJwfQQnqA2⤵
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\system32\rundll32.exerundll32.exe 69kwq90.dll,ZmJwfQQnqA3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1872
-
-