Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 16:37
Static task
static1
Behavioral task
behavioral1
Sample
DETAILS.lnk
Resource
win7-20220901-en
windows7-x64
Behavioral task
behavioral2
Sample
DETAILS.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HcDTvUxhMvlLtX.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
HcDTvUxhMvlLtX.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lZrFnyxCjMmiEL.bat
Resource
win7-20220812-en
windows7-x64
General
-
Target
DETAILS.lnk
-
Size
995B
-
MD5
cadc4156a4d9e1c398f6eb54957a8c9b
-
SHA1
2fe2e1366bfcb30249188043d14f6cb749292989
-
SHA256
7e4816c16bd3766ccb4dba5e4dff725f3936233f8aff9cddb904347f17118cd7
-
SHA512
88a8c007d791c7dccf500762a587dd4438da4c53253cb43588e7ac216cd77ba97d5f6d59559a671ebcc120b8f2ae2befc6e03d5f3b8024c8d529f5805058db4e
Malware Config
Extracted
bumblebee
1710
198.98.59.245:443
146.19.173.148:443
45.61.185.227:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1796 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe 1796 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4904 wrote to memory of 2396 4904 cmd.exe 83 PID 4904 wrote to memory of 2396 4904 cmd.exe 83 PID 2396 wrote to memory of 1796 2396 cmd.exe 85 PID 2396 wrote to memory of 1796 2396 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DETAILS.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c lZrFnyxCjMmiEL.bat2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\rundll32.exerundll32.exe HcDTvUxhMvlLtX.dll,FileUpload3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1796
-
-