Analysis
-
max time kernel
83s -
max time network
132s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
submitted
12-09-2022 20:29
General
-
Target
iso.iso
-
Size
4.2MB
-
MD5
91d626d73fb0dbe45a28f7f49d890c3f
-
SHA1
b218beed30ab0a02db2024100c7a181f16121365
-
SHA256
033099c84bf080da3cae5075180d513861b9b993fef92ff948673ac8e7b23f19
-
SHA512
b172891f4efb3754a6c13e287f13128b94cb28c2ad441935e8eba2597312816477d41fa2e17277764fc32f041fe4d45072f2c8616b7ea7d8053673c59ab96a73
-
SSDEEP
24576:HKb9bASjbJSeycW5gLI+kEP02C7bswQqNLEueh0GHSeUhXedT3wH0zTgjX7Mn9Il:qpb2Pb3jUNGVJgvIOFkinJ/5aU9/Y
Malware Config
Extracted
bumblebee
1209
142.11.211.32:443
146.59.116.49:443
192.236.155.219:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\iso.iso1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""E:\low\evasive.bat" "1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\xcopy.exexcopy /s /i /e /h low\foregathering.dat C:\Users\Admin\AppData\Local\Temp\*2⤵
-
C:\Windows\system32\rundll32.exerundll32 C:\Users\Admin\AppData\Local\Temp\foregathering.dat,vcsfile2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\foregathering.datFilesize
2.8MB
MD5560ff04e980d8cf505916745f3ba43e4
SHA16098af187efa9c4f1973891c0ad1dc617564859a
SHA256dd3f100f8dd4df4dc32b4587d47338446a239fc16c7c7938f12edfca1de29748
SHA5127930337a653f8e2c02b7750d43307c9a60e2097c33e770547d3d2b0e9df1db3ffbf2df03d7726bcb718f97146caca7ff7e8517a0bd49eae2d4c16faa1cff5b7d
-
C:\Users\Admin\AppData\Local\Temp\foregathering.datFilesize
2.8MB
MD5560ff04e980d8cf505916745f3ba43e4
SHA16098af187efa9c4f1973891c0ad1dc617564859a
SHA256dd3f100f8dd4df4dc32b4587d47338446a239fc16c7c7938f12edfca1de29748
SHA5127930337a653f8e2c02b7750d43307c9a60e2097c33e770547d3d2b0e9df1db3ffbf2df03d7726bcb718f97146caca7ff7e8517a0bd49eae2d4c16faa1cff5b7d
-
memory/3492-132-0x0000000000000000-mapping.dmp
-
memory/3624-133-0x0000000000000000-mapping.dmp
-
memory/3624-136-0x000001FD74B60000-0x000001FD74CC0000-memory.dmpFilesize
1.4MB