Analysis
-
max time kernel
41s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
14/06/2022, 20:59
General
-
Target
timi4r.dll
-
Size
1.7MB
-
MD5
c2431e5037bdcbc7573520ea8c99ff87
-
SHA1
8a4f5bcb62f7eb290fd4c903eb15ff58be9f5aa5
-
SHA256
6aa4da1ac218390e6cb97bcc7c5483ab4815c5e5b075ea86da8f123d25e9832d
-
SHA512
46452afb80f78f8a7b4c120cac8071e4e7e5e13f03663901c901aa20f7df4a1091ad2f55970087e5c3151115df206e0e09764655d22671535973b1eb2395c7fa
Malware Config
Extracted
bumblebee
1406r
39.57.152.217:440
69.161.201.181:382
244.6.154.71:111
193.233.203.156:443
221.106.84.123:307
194.135.33.148:443
111.99.39.11:387
223.243.46.133:147
48.165.175.199:316
78.89.31.86:229
157.17.142.85:406
90.81.8.16:370
21.29.238.98:209
154.56.0.252:443
103.175.16.108:443
188.57.4.52:357
15.209.19.148:466
160.70.24.228:486
33.145.184.132:240
235.126.132.170:106
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\timi4r.dll,#11⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB