Analysis
-
max time kernel
39s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24/06/2022, 22:36
General
-
Target
projectr.dll
-
Size
1.8MB
-
MD5
996df34af37534606d59b126eafe0dcb
-
SHA1
f1d3f199ee1aa2ff917b76ad41a64a2a6771f198
-
SHA256
1abd17b10f565bbae870ecc1634cd3c15e80f5d001f748bc112d000e67093669
-
SHA512
462de3cb0029777103d1fe93b7fc2f190033f2ac669c48724853d544f532d2f28c6439e7f198fb1e336145f354ef589b0922c355c7eedab2995d1b37604d03a4
Malware Config
Extracted
bumblebee
236a
146.19.173.191:443
205.218.26.106:335
133.228.15.13:127
60.3.192.137:146
146.70.124.97:443
40.178.16.145:137
216.149.130.58:162
121.214.140.226:358
54.200.237.168:311
85.217.238.89:286
23.82.141.11:443
135.49.247.231:357
105.99.153.173:436
226.179.144.85:474
115.177.167.79:268
23.29.115.172:443
242.165.229.167:492
238.78.243.167:401
28.192.253.108:405
82.217.32.8:253
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\projectr.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
-
Filesize
1.1MB
-
Filesize
1.1MB