Analysis
-
max time kernel
90s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
07-09-2022 17:43
Static task
static1
Behavioral task
behavioral1
Sample
Documents.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Documents.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
ZRoeaQxZZMZDVb.dll
Resource
win7-20220812-en
windows7-x64
General
-
Target
Documents.lnk
-
Size
1KB
-
MD5
62c2908779e9d600b7f173349b4e0336
-
SHA1
6cdb058004c035650018a2467c61ac9c70c103b4
-
SHA256
1b566c56ec82909b3022ca375323a9fee0ccbbd86a8a8735ffc352f4a035b969
-
SHA512
2d9edca7584c4abcd741b4b206536dd55165b2a08e9c634d7c98dd29885f66eb3ebf112581e03fa058f3332aff7dc238c1b14e4818a9bf715c7a5360a6c3cf42
Malware Config
Extracted
bumblebee
0709lg
253.99.168.157:367
114.13.1.160:226
34.113.116.119:165
204.227.208.101:422
90.128.124.215:224
95.45.92.109:292
211.135.230.28:111
199.40.74.224:435
85.230.106.25:390
189.255.181.14:334
213.227.154.169:443
232.196.162.145:304
214.20.238.201:145
87.216.172.198:397
171.201.228.43:398
87.63.40.34:125
120.83.66.17:278
34.65.29.63:243
45.153.240.94:443
232.179.211.66:291
233.228.105.224:221
193.11.177.213:238
186.218.162.100:196
95.54.17.61:431
215.155.35.33:309
205.5.165.193:253
191.215.252.12:299
190.104.233.232:454
30.4.135.103:343
24.64.244.156:187
3.17.97.51:305
3.110.118.231:273
194.140.110.231:247
228.57.16.249:115
226.124.246.118:179
253.102.241.231:316
186.40.222.142:173
146.132.130.18:100
16.28.192.164:130
219.150.99.178:460
204.235.52.15:241
104.121.55.132:124
172.238.228.106:169
46.189.108.213:259
5.149.200.203:181
7.41.78.160:194
24.84.58.88:201
217.244.142.77:452
75.25.196.244:194
213.233.43.49:438
163.104.136.59:134
118.189.229.22:297
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest odbcconf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ odbcconf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions odbcconf.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate odbcconf.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine odbcconf.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2260 odbcconf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe 2260 odbcconf.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 372 wrote to memory of 2260 372 cmd.exe 84 PID 372 wrote to memory of 2260 372 cmd.exe 84
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Documents.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\System32\odbcconf.exe"C:\Windows\System32\odbcconf.exe" /a {REGSVR ZRoeaQxZZMZDVb.dll}2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2260
-