Analysis
-
max time kernel
68s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26/06/2022, 10:25
Static task
static1
Behavioral task
behavioral1
Sample
m3n4rat/documents.lnk
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral2
Sample
m3n4rat/documents.lnk
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral3
Sample
m3n4rat/m3n4rat.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral4
Sample
m3n4rat/m3n4rat.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
General
-
Target
m3n4rat/documents.lnk
-
Size
2KB
-
MD5
1e3f5cd9d257761d411f55b1c28c6e50
-
SHA1
104ac15abdaa5313dc243c7086781339223b55fc
-
SHA256
79c46064eb48f99845aeac03b836df35fc034fe8fb603a5394cd58932811d418
-
SHA512
1a5ba3732118c9aa758d80cba57a39feaaf9af5ecbc232463347e41ff286d94cd74fbd4f05747c08023d4c13f38f433728ebd3c08d2a60032f8c65676d45f217
Malware Config
Extracted
bumblebee
236r
54.38.136.111:443
103.200.32.188:492
74.57.128.223:112
13.2.200.200:338
228.194.82.251:473
247.224.208.140:372
0.151.228.146:282
192.119.77.241:443
186.150.217.235:221
50.41.225.93:478
50.167.186.112:239
173.77.219.120:201
187.210.45.242:299
239.11.133.48:421
207.6.99.3:471
98.28.11.39:201
193.239.152.108:242
133.209.39.126:217
146.19.173.202:443
97.194.155.116:446
86.91.101.57:221
101.8.100.194:131
152.38.148.148:494
89.172.3.185:315
138.114.199.166:316
69.120.31.126:408
74.135.94.210:347
204.233.101.71:459
168.120.139.16:273
204.181.129.183:248
172.110.248.55:203
25.170.215.18:456
82.20.113.198:446
106.120.29.13:489
246.47.222.240:216
103.175.16.47:443
24.121.25.160:346
28.53.120.108:270
211.131.243.77:112
246.232.135.28:477
49.179.166.100:235
146.19.173.207:443
206.103.180.253:205
215.48.4.118:123
224.239.200.236:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Wine rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe 3304 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 320 wrote to memory of 3304 320 cmd.exe 81 PID 320 wrote to memory of 3304 320 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\m3n4rat\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" m3n4rat.dll,PjyJGGCvQs2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:3304
-