Analysis
-
max time kernel
119s -
max time network
175s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 18:11
Static task
static1
Behavioral task
behavioral1
Sample
PnrirLoslBOSWR.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
PnrirLoslBOSWR.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
details.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
details.lnk
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lqDwAhoXOlNwLd.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
lqDwAhoXOlNwLd.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
details.lnk
-
Size
995B
-
MD5
b5d21515040f492ecf2cdab2cecbee04
-
SHA1
6a288e044cefd4c83fdd07899445755a3e4cdfd4
-
SHA256
ae3360b50c116599a7cb2750c896e4223097e8c7224242d5844ebee0808c089f
-
SHA512
0bd2564b4c078685a7fa321d55655ee8c65a2c559bff231c0d17c80776e8e36d8b251aee85f1e3000e436e03266dab58954640058861a122d71d1d601efe999c
Malware Config
Extracted
bumblebee
2609
209.141.48.135:443
142.11.241.215:443
146.59.116.77:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4900 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe 4900 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1020 wrote to memory of 2888 1020 cmd.exe 82 PID 1020 wrote to memory of 2888 1020 cmd.exe 82 PID 2888 wrote to memory of 4900 2888 cmd.exe 83 PID 2888 wrote to memory of 4900 2888 cmd.exe 83
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\details.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c PnrirLoslBOSWR.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\system32\rundll32.exerundll32 lqDwAhoXOlNwLd.dll,TlvRun3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4900
-
-