Analysis
-
max time kernel
91s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
23/06/2022, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
docum.bat
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral2
Sample
docum.bat
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral3
Sample
documents.lnk
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral4
Sample
documents.lnk
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral5
Sample
parelmo2.dll
Resource
win7-20220414-en
windows7_x64
General
-
Target
documents.lnk
-
Size
2KB
-
MD5
c89d0d285c1a7e2433849b541ddd6dcd
-
SHA1
92b348df912a354fafc6788403bd6dc9f081a923
-
SHA256
e105a1d7fae4d0cb63d068b328d83d41e07b7b27b2bfdc65b2e47c5dfb90466b
-
SHA512
abf62809d26fb85561735b2d99e30618458ba2298c5e2de834f0313dee419c2c3c75fabcb517c84914a2b93d624814e32e8c24768b83a710a752d84f9d77d55d
Malware Config
Extracted
bumblebee
6rr
145.239.30.26:443
194.37.97.135:443
185.62.58.238:443
176.107.177.124:443
192.236.160.254:443
192.236.192.85:443
185.62.56.201:443
103.175.16.59:443
198.98.57.91:443
154.56.0.221:443
64.44.101.250:443
103.175.16.117:443
63.141.248.253:443
192.236.194.136:443
193.239.84.247:443
192.236.161.191:443
185.156.172.123:443
54.38.136.187:443
64.44.102.6:443
192.119.64.21:443
79.110.52.56:443
103.175.16.107:443
146.19.173.224:443
68.233.238.105:443
64.44.135.250:443
103.175.16.121:443
192.236.249.68:443
193.239.84.254:443
37.120.198.248:443
146.19.173.139:443
194.135.33.149:443
154.56.0.241:443
23.254.201.97:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Wine rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe 3148 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3488 wrote to memory of 3992 3488 cmd.exe 82 PID 3488 wrote to memory of 3992 3488 cmd.exe 82 PID 3992 wrote to memory of 2228 3992 cmd.exe 83 PID 3992 wrote to memory of 2228 3992 cmd.exe 83 PID 2228 wrote to memory of 3148 2228 cmd.exe 85 PID 2228 wrote to memory of 3148 2228 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start docum.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K docum.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\system32\rundll32.exeRunDll32 parelmo2.dll,nHqRHTKVae4⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:3148
-
-
-