Analysis
-
max time kernel
86s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27/06/2022, 19:12
Static task
static1
Behavioral task
behavioral1
Sample
documents.lnk
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral2
Sample
documents.lnk
Resource
win10v2004-20220414-en
windows10-2004_x64
Behavioral task
behavioral3
Sample
n3zarek.dll
Resource
win7-20220414-en
windows7_x64
Behavioral task
behavioral4
Sample
n3zarek.dll
Resource
win10v2004-20220414-en
windows10-2004_x64
General
-
Target
documents.lnk
-
Size
2KB
-
MD5
663851b4f1b3ad5acd85c4ab15493e71
-
SHA1
32060a7f992322ac9bdf6d976d60181111b571d6
-
SHA256
68e3bf7eec93dfd4394746769532dbc890207fd6f554c18165e8a2746b3fe2d2
-
SHA512
0d51286f76f3f8fd292574b97803891571e3c20a110e7b830208591f69fab86941708e1751d3851724b0a12f610ba603afb259451c9e480e42fc306d0688e828
Malware Config
Extracted
bumblebee
276r
76.81.225.65:337
41.28.188.77:212
51.199.209.83:290
192.119.77.100:443
68.121.248.35:464
54.37.131.14:443
149.197.87.217:409
224.110.0.53:105
253.13.70.127:340
122.50.173.112:157
103.25.51.23:388
199.61.79.119:346
68.14.88.177:143
227.12.148.222:270
33.93.97.183:112
168.113.169.88:428
64.157.160.42:207
156.151.142.100:123
146.19.253.56:443
135.36.57.27:157
124.79.186.17:245
254.230.180.37:486
179.4.178.202:339
14.155.143.74:191
31.228.253.114:427
218.122.217.28:234
212.107.138.109:287
29.122.243.158:226
175.90.216.232:197
12.75.186.131:263
227.233.79.54:327
156.165.161.82:298
150.37.37.18:112
145.250.252.150:418
234.248.206.141:176
141.69.161.34:281
24.4.68.32:418
10.28.17.62:401
194.120.202.95:468
245.245.176.160:137
78.24.136.181:493
28.107.38.196:269
151.233.218.244:192
21.21.141.32:133
159.117.143.69:265
154.171.215.86:169
78.74.20.180:433
135.79.221.116:303
194.129.76.203:490
19.32.56.182:487
241.0.19.171:313
35.120.155.220:262
155.180.101.133:318
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Wine rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe 4928 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 1208 wrote to memory of 4928 1208 cmd.exe 82 PID 1208 wrote to memory of 4928 1208 cmd.exe 82
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" n3zarek.dll,RoOEiztJvW2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:4928
-