Analysis
-
max time kernel
90s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20/06/2022, 08:59
Static task
static1
Behavioral task
behavioral1
Sample
toso3l.dll
Resource
win7-20220414-en
windows7_x64
General
-
Target
toso3l.dll
-
Size
1.7MB
-
MD5
d6a09a35b18a25b756fd0a2cfe18ecf1
-
SHA1
d14985b445752dbd84698ea9132d597aecf495c7
-
SHA256
47a9ee143d413413a5f92a39d07c02dcd93f379387b1b6a0d26ed978a2c6425c
-
SHA512
f438c7adcec7f691b86c90156ef9816df69cb94323fe0c3ebb502f98d8ce4c6ed0878dcf666a7b56f96f36b5727ed3521cb2d237aecfed02db051c2973d6361b
Malware Config
Extracted
bumblebee
1406r
39.57.152.217:440
69.161.201.181:382
244.6.154.71:111
193.233.203.156:443
221.106.84.123:307
194.135.33.148:443
111.99.39.11:387
223.243.46.133:147
48.165.175.199:316
78.89.31.86:229
157.17.142.85:406
90.81.8.16:370
21.29.238.98:209
154.56.0.252:443
103.175.16.108:443
188.57.4.52:357
15.209.19.148:466
160.70.24.228:486
33.145.184.132:240
235.126.132.170:106
171.78.101.85:258
188.6.218.149:317
123.67.113.210:483
115.109.212.139:461
167.28.27.185:467
185.62.58.133:443
133.57.116.243:424
47.58.200.234:159
142.182.181.207:450
57.240.143.90:256
158.35.83.74:332
135.253.243.175:300
34.229.154.31:235
104.168.219.94:443
48.209.106.172:357
68.227.158.172:411
80.9.246.19:338
45.153.241.187:443
145.239.135.155:443
188.104.94.69:348
246.20.199.100:175
80.26.101.48:372
22.83.186.45:201
146.70.125.82:443
216.254.58.191:443
80.156.1.202:305
107.44.53.47:330
67.136.243.43:323
172.244.110.160:367
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Wine rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe 568 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\toso3l.dll,#11⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:568