Analysis
-
max time kernel
91s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2022 20:11
Static task
static1
Behavioral task
behavioral1
Sample
bhaks.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
bhaks.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
exit.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
exit.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
required information.lnk
Resource
win7-20220812-en
windows7-x64
General
-
Target
required information.lnk
-
Size
1KB
-
MD5
58fb2aa4cdc631b102abd92cad34f054
-
SHA1
2df65dd90d13d13fe3a4070c85347e8eda82c935
-
SHA256
3b6b4238e4557235e44df73530bf6577df2897ba625f7f2879d102ff08086819
-
SHA512
79a364cd0b900fd7a816c57ffe9ad317ad16e0aa7c7f067ebe9f114dd3a2682cbce41cb66bf1d8a1de2dea303ef38c1f379925e5beca113f7ae8722f72e9fcef
Malware Config
Extracted
bumblebee
1209
103.144.139.138:443
154.56.0.119:443
158.20.4.234:443
205.185.123.115:443
146.70.143.140:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2108 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe 2108 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4344 wrote to memory of 392 4344 cmd.exe 80 PID 4344 wrote to memory of 392 4344 cmd.exe 80 PID 392 wrote to memory of 2108 392 cmd.exe 81 PID 392 wrote to memory of 2108 392 cmd.exe 81
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\required information.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c exit.bat2⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\rundll32.exerundll32 bhaks.dll,vcsfile3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
-