Analysis
-
max time kernel
83s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
submitted
12-09-2022 20:29
Static task
static1
Behavioral task
behavioral1
Sample
iso.iso
Resource
win7-20220812-en
General
-
Target
iso.iso
-
Size
4.2MB
-
MD5
91d626d73fb0dbe45a28f7f49d890c3f
-
SHA1
b218beed30ab0a02db2024100c7a181f16121365
-
SHA256
033099c84bf080da3cae5075180d513861b9b993fef92ff948673ac8e7b23f19
-
SHA512
b172891f4efb3754a6c13e287f13128b94cb28c2ad441935e8eba2597312816477d41fa2e17277764fc32f041fe4d45072f2c8616b7ea7d8053673c59ab96a73
-
SSDEEP
24576:HKb9bASjbJSeycW5gLI+kEP02C7bswQqNLEueh0GHSeUhXedT3wH0zTgjX7Mn9Il:qpb2Pb3jUNGVJgvIOFkinJ/5aU9/Y
Malware Config
Extracted
bumblebee
1209
142.11.211.32:443
146.59.116.49:443
192.236.155.219:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 3624 rundll32.exe -
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: cmd.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3624 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe 3624 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeManageVolumePrivilege 3860 cmd.exe Token: SeManageVolumePrivilege 3860 cmd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4356 wrote to memory of 3492 4356 cmd.exe 100 PID 4356 wrote to memory of 3492 4356 cmd.exe 100 PID 4356 wrote to memory of 3624 4356 cmd.exe 101 PID 4356 wrote to memory of 3624 4356 cmd.exe 101
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iso.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3860
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2800
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\low\evasive.bat" "1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\system32\xcopy.exexcopy /s /i /e /h low\foregathering.dat C:\Users\Admin\AppData\Local\Temp\*2⤵PID:3492
-
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\foregathering.dat,vcsfile2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3624
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5560ff04e980d8cf505916745f3ba43e4
SHA16098af187efa9c4f1973891c0ad1dc617564859a
SHA256dd3f100f8dd4df4dc32b4587d47338446a239fc16c7c7938f12edfca1de29748
SHA5127930337a653f8e2c02b7750d43307c9a60e2097c33e770547d3d2b0e9df1db3ffbf2df03d7726bcb718f97146caca7ff7e8517a0bd49eae2d4c16faa1cff5b7d
-
Filesize
2.8MB
MD5560ff04e980d8cf505916745f3ba43e4
SHA16098af187efa9c4f1973891c0ad1dc617564859a
SHA256dd3f100f8dd4df4dc32b4587d47338446a239fc16c7c7938f12edfca1de29748
SHA5127930337a653f8e2c02b7750d43307c9a60e2097c33e770547d3d2b0e9df1db3ffbf2df03d7726bcb718f97146caca7ff7e8517a0bd49eae2d4c16faa1cff5b7d