Analysis
-
max time kernel
63s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2022 14:50
Static task
static1
Behavioral task
behavioral1
Sample
DFSdDHyafGNBMb.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
DFSdDHyafGNBMb.dll
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
project info.lnk
Resource
win7-20220812-en
windows7-x64
General
-
Target
project info.lnk
-
Size
1KB
-
MD5
a3014c117e11c1116f9e51eb79529ab9
-
SHA1
d9acd73a1898a632bee558d4a0f96995352e1fc0
-
SHA256
d16b76e0b7e88750733ebc46df80708a539c60d936add5a4fba66f35d3ab260a
-
SHA512
8b72991786f5f27b3b56bc0cc239cdb24a6ee2649b311320b481f02c4972ea30d9a2e62e95a056fb8bf55b6c2d14d6d749f944d0ae29d2a2cbca9fdae9180dd8
Malware Config
Extracted
bumblebee
0709
8.88.91.79:136
167.76.161.23:157
77.177.118.96:231
69.233.15.174:491
117.146.34.48:461
23.200.170.60:184
170.246.180.67:323
37.140.146.139:221
130.209.86.69:354
146.92.77.172:282
182.27.60.90:232
49.120.53.41:234
17.27.91.226:169
103.144.139.135:443
122.241.46.136:429
107.69.244.155:270
104.168.243.204:443
185.216.240.69:197
52.45.172.134:339
6.230.209.231:316
198.98.59.54:443
119.1.238.159:237
95.54.236.204:277
243.54.17.14:105
246.255.30.66:152
120.168.230.193:365
28.186.144.22:459
142.202.200.105:283
228.231.12.109:215
32.103.37.152:185
35.12.228.216:414
248.107.236.19:347
103.90.180.149:308
59.69.64.76:213
35.115.91.249:472
186.54.87.62:322
67.79.169.59:349
112.41.250.48:224
17.131.11.187:459
81.213.123.89:352
114.95.108.99:391
27.214.218.60:212
159.196.125.136:458
27.150.71.81:147
252.70.152.171:488
100.97.149.119:362
65.104.139.214:460
14.162.27.208:336
20.220.107.121:269
150.159.60.124:463
136.151.108.82:424
131.201.79.189:120
118.77.223.230:102
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo odbcconf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ odbcconf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions odbcconf.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate odbcconf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine odbcconf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3032 odbcconf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe 3032 odbcconf.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3588 wrote to memory of 3032 3588 cmd.exe 84 PID 3588 wrote to memory of 3032 3588 cmd.exe 84
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\project info.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\System32\odbcconf.exe"C:\Windows\System32\odbcconf.exe" /a {REGSVR DFSdDHyafGNBMb.dll}2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3032
-