Analysis
-
max time kernel
92s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21/06/2022, 18:54
Static task
static1
Behavioral task
behavioral1
Sample
nev3erl.dll
Resource
win7-20220414-en
windows7_x64
General
-
Target
nev3erl.dll
-
Size
1.5MB
-
MD5
b2f7a41d9cd91487b53e4c53d5814ead
-
SHA1
ecde51a37f8f61b4afc7ef5c7ea0c4fd965ca079
-
SHA256
aa51cae27b9fb466ee5975014e621a7f75babc766d6d5311bfd1be3c6d92c657
-
SHA512
447057e4a90b70e93f4600015d5d6b8a141ab641cf9670fe66d9915994bd9e7eff40938703199a7dbfe594c2ee41e7752db65b5ffa5bce7f7e8bb89128441bbe
Malware Config
Extracted
bumblebee
156r
249.241.29.24:181
124.243.81.221:274
142.11.216.143:443
190.123.237.229:261
208.84.180.22:146
103.175.16.106:443
18.8.71.243:176
37.64.220.2:332
100.93.33.185:487
182.62.4.186:282
239.100.121.57:329
228.78.147.191:253
212.234.34.219:148
138.65.77.29:391
55.14.133.44:292
221.238.146.116:272
91.167.137.83:421
66.23.70.38:168
183.37.64.159:220
241.112.226.151:197
253.174.222.210:447
78.90.18.29:383
185.94.100.232:189
208.231.162.191:266
0.42.131.123:144
49.57.156.149:228
103.175.16.107:443
109.108.10.35:386
177.231.94.146:410
78.79.38.95:496
231.169.5.102:403
141.98.168.70:443
45.153.241.234:443
238.42.54.122:171
194.135.33.16:443
26.6.83.53:219
241.54.78.154:269
3.172.226.46:189
203.138.139.122:404
80.241.131.170:311
132.44.27.212:299
146.19.173.105:443
213.115.131.233:186
222.62.166.76:206
127.87.0.227:339
2.190.89.140:236
98.84.87.52:353
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Wine rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe 1936 rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\nev3erl.dll,#11⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1936