Analysis
-
max time kernel
145s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
19-09-2022 15:00
Static task
static1
Behavioral task
behavioral1
Sample
Details.lnk
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
Details.lnk
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
XLojGEhKNSWWGb.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
XLojGEhKNSWWGb.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
uOAxPaiprCVzvn.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
uOAxPaiprCVzvn.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
Details.lnk
-
Size
995B
-
MD5
fc6d9fe3fae2bc903bae5b0b2afaca0e
-
SHA1
c9509d46c804b5d71e197f9c56dcadc2a2c19f79
-
SHA256
cda1e1f1bcf7047878596723ef13fc1231aad4b49ac0e0df335d885099e0694c
-
SHA512
69e0c8b50659238135241bcf48ab83abf39b952d60c9266da347bee0f6ff9224a833841fd67e224bfaddae624bfe553770a35a1b206485ebeeb0ac35f995f0ab
Malware Config
Extracted
bumblebee
1909
172.93.193.42:443
45.153.243.126:443
213.227.154.19:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3248 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe 3248 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1368 wrote to memory of 3744 1368 cmd.exe 81 PID 1368 wrote to memory of 3744 1368 cmd.exe 81 PID 3744 wrote to memory of 3248 3744 cmd.exe 82 PID 3744 wrote to memory of 3248 3744 cmd.exe 82
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\Details.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c XLojGEhKNSWWGb.bat2⤵
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\system32\rundll32.exerundll32 uOAxPaiprCVzvn.dll,CreateTask3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3248
-
-