Overview

overview

10

Static

static

a3e023f966...f8.iso

windows7-x64

3

a3e023f966...f8.iso

windows10-2004-x64

3

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

setting.dll

windows7-x64

10

setting.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 10:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setting.dll

  • Size

    2.4MB

  • MD5

    810beaab7e74d7b37dfd3b8b319a2ca6

  • SHA1

    fb07e024c28064ab5e6accf248e74bc12c31cf06

  • SHA256

    131f7e18bc3ea50cdcf74b618c24f5ae1b38594f8649d80538566b1cceeec683

  • SHA512

    e41e4588d9cb9d9e1adc72a862f2816070f9cc204833cdd7527260ea1f710077076ec67c9eca786e99c49e8e14c28619ab96bb0ce1324e2fb4d9110bc6419c2b

  • SSDEEP

    49152:d7wq/1JsO/mzk/B84wEkqcKKEit/nLYpieYHpzoHM41/:d7w27ekpWRIe4YHpzos4V

Score
10/10
bumblebeeall0504evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

ALL0504

C2

192.236.198.63:443

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\setting.dll,#1
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious behavior: EnumeratesProcesses
    PID:4720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4720-132-0x0000022690140000-0x000002269038D000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4720-133-0x00007FFBE72C0000-0x00007FFBE72D0000-memory.dmp

    Filesize

    64KB

    Download