Analysis
-
max time kernel
82s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
06-09-2022 15:42
Static task
static1
Behavioral task
behavioral1
Sample
of/Office_Install.lnk
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
of/Office_Install.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
of/office.dll
Resource
win7-20220812-en
windows7-x64
General
-
Target
of/Office_Install.lnk
-
Size
1KB
-
MD5
6b235a615c34bb2f86e23f9bd86e9bb0
-
SHA1
5d0acfef254761ee10ef3c89c7c078b19dbf2bf2
-
SHA256
baa473b56fc40b073f0e0b5f32944857016e6e7fda120385e5ce677710d9e08d
-
SHA512
2facf906c4cd1004c9f3e75bf3be458f6ae44847f3447d933f3d849d5cc03d064cae1594e8dd9e6d70e71f09e1e514cbce3de185281934bc5ab253afb418312a
Malware Config
Extracted
bumblebee
176
70.164.10.27:408
26.41.31.179:151
114.231.91.156:187
133.178.159.62:149
14.62.208.157:254
25.98.245.218:116
118.68.44.63:384
17.129.76.222:497
169.218.206.202:179
74.82.20.46:385
146.19.173.233:443
224.139.76.178:199
203.204.185.83:210
144.253.119.113:310
143.161.126.207:367
23.67.101.88:308
36.73.68.161:435
23.82.141.11:443
172.93.181.233:443
250.96.42.74:399
151.167.25.68:442
84.29.196.119:376
90.129.223.13:271
97.54.92.27:255
108.62.118.221:443
234.24.133.46:460
104.109.76.33:286
81.64.224.156:255
44.210.220.213:323
179.113.18.224:307
19.221.32.15:329
157.182.119.195:198
130.56.247.186:347
170.198.60.109:264
38.160.158.118:447
166.74.142.212:465
0.126.75.69:401
144.213.129.11:445
33.251.63.134:272
162.53.169.25:330
87.8.111.212:323
157.194.183.217:378
30.152.233.169:117
145.239.30.73:443
239.206.141.82:371
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo odbcconf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ odbcconf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions odbcconf.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate odbcconf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine odbcconf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe 1684 odbcconf.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 4936 wrote to memory of 1684 4936 cmd.exe 83 PID 4936 wrote to memory of 1684 4936 cmd.exe 83
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\of\Office_Install.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\System32\odbcconf.exe"C:\Windows\System32\odbcconf.exe" -f file.rsp2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious behavior: EnumeratesProcesses
PID:1684
-