Analysis

  • max time kernel
    39s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2022 00:51

General

  • Target

    file-ea1bb905-6718-4e55-8cb2-4f2cfbf2cd23.lnk

  • Size

    1KB

  • MD5

    25804c14d838ee802da26c6c394059ff

  • SHA1

    8f9f2311b1962bbf2d433a419b5b6dd8c0788366

  • SHA256

    63f8f0291ea92dbb363dec39ec1b6ccfce854ea4f7abdb9b8a2907594d7dca32

  • SHA512

    484151f2d04ae782fe8fcacc09f33e31ae56dfaaa87e1d23e751651abb6ad4cf9f6d0f0f1377d30096ae822bd3222f8f196bd876871048f813409d76fcfea0ee

Malware Config

Extracted

Family

bumblebee

Botnet

1010

C2

51.83.250.153:443

194.135.33.40:443

185.145.97.141:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\file-ea1bb905-6718-4e55-8cb2-4f2cfbf2cd23.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start 93059f5c-b5de-43c5-9547-6c9c4b53455a.png && start ru^n^d^l^l3^2 dd204ab6-b2ca-4f8c-8f6b-b70093a2ec80.Vpy,minload
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:268
      • C:\Windows\system32\rundll32.exe
        rundll32 dd204ab6-b2ca-4f8c-8f6b-b70093a2ec80.Vpy,minload
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1176

Network

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Virtualization/Sandbox Evasion

4
T1497

Discovery

Query Registry

5
T1012

Virtualization/Sandbox Evasion

4
T1497

System Information Discovery

2
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/268-89-0x0000000000000000-mapping.dmp
  • memory/268-143-0x0000000000380000-0x0000000000390000-memory.dmp
    Filesize

    64KB

  • memory/1148-54-0x000007FEFB5D1000-0x000007FEFB5D3000-memory.dmp
    Filesize

    8KB

  • memory/1176-144-0x0000000000000000-mapping.dmp
  • memory/1176-145-0x0000000001D80000-0x0000000001ED3000-memory.dmp
    Filesize

    1.3MB