Analysis
-
max time kernel
125s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
01-09-2022 19:56
Static task
static1
Behavioral task
behavioral1
Sample
HKpiLfqChJKPLc.dll
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
HKpiLfqChJKPLc.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
applications.lnk
Resource
win7-20220812-en
windows7-x64
General
-
Target
applications.lnk
-
Size
1KB
-
MD5
61f4534b554463ef5a6c0695f78c1863
-
SHA1
a0373390cdc6edce5af66b0c9657f9cd63d3ab78
-
SHA256
201199f2481044b6f4252e0109d09bb7bd170715d401ed5762539992557455b7
-
SHA512
79d38cf25d8bc012016ff737c7a3d9923bb831b731c3fe298030a887883d1b65cd67919e7a6658de74683b80af0cb303b1c3069fdb1eb10fd1293f1d997fbb98
Malware Config
Extracted
bumblebee
0109
238.135.187.178:122
139.250.85.120:389
48.125.193.25:152
114.213.187.231:380
111.253.120.98:250
226.62.116.55:344
167.157.111.216:424
172.237.68.92:206
16.58.16.45:200
250.119.214.35:204
3.103.169.104:449
241.138.197.72:484
217.78.123.134:168
111.153.255.170:258
44.157.167.56:261
88.38.249.218:141
124.110.55.236:298
248.92.195.241:424
244.202.83.43:409
106.233.170.108:279
96.188.217.60:173
84.221.218.120:100
159.104.75.166:346
213.231.246.58:435
51.83.249.204:443
120.87.37.168:153
110.167.91.68:459
178.191.59.83:434
40.30.44.164:172
136.79.37.133:189
120.80.124.185:480
2.166.110.196:427
231.97.171.162:497
25.78.72.70:139
35.177.159.176:486
146.70.106.163:443
77.107.57.122:103
89.1.246.38:325
96.36.139.9:434
25.65.103.99:483
152.209.117.91:451
166.219.247.189:324
63.230.197.221:147
145.104.166.182:111
15.187.236.25:452
64.44.102.36:443
254.198.4.244:141
229.79.74.203:286
64.242.165.29:184
21.191.58.147:232
58.58.251.238:386
65.48.107.106:127
146.12.117.63:181
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo odbcconf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ odbcconf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions odbcconf.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion odbcconf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine odbcconf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 656 odbcconf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe 656 odbcconf.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4612 wrote to memory of 656 4612 cmd.exe 81 PID 4612 wrote to memory of 656 4612 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\applications.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4612 -
C:\Windows\System32\odbcconf.exe"C:\Windows\System32\odbcconf.exe" /a {REGSVR HKpiLfqChJKPLc.dll}2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:656
-