Analysis
-
max time kernel
91s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
20-09-2022 19:22
Static task
static1
Behavioral task
behavioral1
Sample
Project info.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
Project info.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
iyXaimiAupRils.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
iyXaimiAupRils.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
mKvXxKFuXZEtgH.bat
Resource
win7-20220901-en
windows7-x64
General
-
Target
Project info.lnk
-
Size
995B
-
MD5
273502c7d02ade545ba9663b5fff3ba7
-
SHA1
c56fbfc96f13def520955e299f438532e2eff952
-
SHA256
c7c018f5a1246622c27013d3ae1e8f4d67525d11ab19aa175451a356dd4f8afe
-
SHA512
63fa9193b15f45ed03a0e9bfbac72a1772e9424806f5c070de3d0393bede323cb7ef21eafa05b784dc28d86c81ca1f2dd0d21b0b0831a8aefb1cca178e2a18f6
Malware Config
Extracted
bumblebee
2009
45.153.241.245:443
195.133.192.117:443
146.70.147.16:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 3700 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe 3700 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4656 wrote to memory of 1592 4656 cmd.exe 84 PID 4656 wrote to memory of 1592 4656 cmd.exe 84 PID 1592 wrote to memory of 3700 1592 cmd.exe 85 PID 1592 wrote to memory of 3700 1592 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Project info.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c mKvXxKFuXZEtgH.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\system32\rundll32.exerundll32 iyXaimiAupRils.dll,runnode3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3700
-
-