Analysis
-
max time kernel
135s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 16:28
Static task
static1
Behavioral task
behavioral1
Sample
s3negar/documents.lnk
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral2
Sample
s3negar/documents.lnk
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral3
Sample
s3negar/s3negar.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral4
Sample
s3negar/s3negar.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
General
-
Target
s3negar/documents.lnk
-
Size
2KB
-
MD5
1d43bbd7301e12a5047c10f1938a4e41
-
SHA1
5088ef29327d60651678cadc8e00e3cca95c4dfb
-
SHA256
26f55122d1ab31238ceb46e816717c50dd2aad69a991ef79f5a4824bbe96b921
-
SHA512
826257ff28350eb645ed68f8fcf87a02d267b2594ee37963478807aeec391a5840977b80719882681eb29183206bc0d5936e92e31fdc4dfc0154b147edcc0570
Malware Config
Extracted
bumblebee
2006r
149.4.32.76:241
194.104.136.152:443
119.230.89.42:407
45.153.241.234:443
173.45.237.73:444
169.239.191.195:335
173.107.248.213:137
90.108.111.212:276
146.19.173.105:443
216.4.65.112:354
52.6.247.44:324
162.212.72.241:135
114.188.145.216:303
5.109.171.105:392
142.11.216.143:443
87.144.64.172:286
103.250.125.252:491
117.173.171.58:296
157.2.47.226:120
53.50.204.254:356
2.34.4.38:454
183.0.33.34:163
142.189.175.128:205
225.179.210.217:312
108.19.32.96:487
28.190.254.34:452
37.221.67.122:443
85.152.192.219:370
216.32.204.20:184
121.16.187.83:457
199.42.52.200:451
112.143.41.13:382
123.186.42.228:329
129.68.41.164:186
79.234.141.88:261
78.110.135.61:346
12.82.239.17:144
228.124.215.123:325
247.245.143.91:112
104.168.174.159:443
75.29.108.109:312
126.254.234.119:401
15.69.89.142:344
140.105.178.41:403
135.74.167.74:286
10.254.12.95:336
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Wine rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe 5072 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4536 wrote to memory of 5072 4536 cmd.exe 82 PID 4536 wrote to memory of 5072 4536 cmd.exe 82
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\s3negar\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" s3negar.dll,UzduUOtRZB2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:5072
-