Analysis
-
max time kernel
90s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
28/06/2022, 22:54
Static task
static1
Behavioral task
behavioral1
Sample
sec.dll
Resource
win7-20220414-en
windows7_x64
General
-
Target
sec.dll
-
Size
1.7MB
-
MD5
a30bf883c38b54c3b22a2f8ccfb1bd8a
-
SHA1
9a5ec009753040c5214b864d9d271901eb4542ac
-
SHA256
95a6114c8b9879ebc9a0142fcd46d41dd428380a27d5b396a232f42e4a505fb2
-
SHA512
64d3f30c8564e4eedecd7f3f8c3b1eafaa3d781fb5bef39825ea1b8fdd1f39c38ac477f08a7a147fcb2f404c32ded7ae841b5bb443070945e1aa60668838ed58
Malware Config
Extracted
bumblebee
286a
40.126.50.56:271
185.62.58.175:443
3.27.187.15:317
28.236.100.216:424
75.72.64.79:334
156.148.26.226:446
104.83.15.21:107
199.236.144.121:106
6.23.156.239:194
211.73.200.45:129
240.230.245.154:407
209.141.58.141:443
35.225.143.246:179
212.151.132.229:145
163.192.104.228:409
138.84.254.103:385
52.100.187.210:219
74.205.65.255:245
233.96.129.4:276
114.35.182.27:323
103.175.16.116:443
146.70.106.52:443
199.89.92.124:109
11.24.35.141:268
113.180.124.216:333
59.22.171.98:246
132.67.3.106:429
108.62.118.145:443
171.44.250.79:472
72.212.122.103:220
183.61.204.160:256
120.192.237.112:424
97.203.17.22:342
19.237.111.47:139
185.99.166.162:475
230.120.141.53:464
26.212.209.119:471
129.22.123.8:482
149.22.209.252:214
154.56.0.112:443
193.79.90.141:257
237.129.109.124:433
68.36.136.74:128
153.11.154.143:222
70.138.179.40:315
235.7.231.55:207
39.19.205.215:353
212.67.196.127:183
185.82.152.12:146
158.148.141.98:485
180.242.239.7:382
218.198.206.120:338
46.98.104.253:162
172.93.193.187:443
216.92.5.162:117
144.178.219.18:19
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest regsvr32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions regsvr32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate regsvr32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Wine regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe 2440 regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\sec.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:2440