Analysis
-
max time kernel
91s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24/06/2022, 09:42
Static task
static1
Behavioral task
behavioral1
Sample
projectr.dll
Resource
win7-20220414-en
windows7_x64
General
-
Target
projectr.dll
-
Size
1.8MB
-
MD5
546d975e638d044bc23c7f1bf4122d26
-
SHA1
2efd0d398b648d5c70db7d15b1893eb19519ae74
-
SHA256
287055194e83ab2a8d91ef4d187de57345c19018cf3a85024c4fd20c64ad689e
-
SHA512
7e4709e4dd18965966466334870488b4469e9920c5ae5bbc8bbd2249d2071744ba9c3d169be5d1d9280555465fc8659df4e7059a67f5ceca7f76dc8aa388a610
Malware Config
Extracted
bumblebee
236a
146.19.173.191:443
205.218.26.106:335
133.228.15.13:127
60.3.192.137:146
146.70.124.97:443
40.178.16.145:137
216.149.130.58:162
121.214.140.226:358
54.200.237.168:311
85.217.238.89:286
23.82.141.11:443
135.49.247.231:357
105.99.153.173:436
226.179.144.85:474
115.177.167.79:268
23.29.115.172:443
242.165.229.167:492
238.78.243.167:401
28.192.253.108:405
82.217.32.8:253
51.164.163.86:229
60.168.159.77:407
111.166.163.223:496
172.93.181.233:443
100.104.205.209:484
232.156.186.23:466
44.182.75.245:332
33.57.182.96:208
185.62.56.129:443
120.228.168.112:306
71.10.1.64:264
19.85.43.167:259
17.59.84.10:180
112.235.192.175:423
51.83.253.131:443
90.67.157.183:121
143.97.115.135:246
170.38.189.154:350
244.79.216.210:311
46.33.217.133:272
162.19.0.125:490
59.68.38.91:440
104.168.201.219:443
167.79.143.101:421
45.153.241.120:443
108.62.118.221:443
242.178.173.56:130
152.89.247.79:443
220.202.94.220:452
87.90.222.97:267
193.107.167.95:228
227.246.217.88:191
35.61.78.73:296
154.56.0.111:443
37.79.217.61:493
130.152.160.174:2
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService regsvr32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ regsvr32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions regsvr32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Wine regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe 4872 regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\projectr.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:4872