Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19-10-2022 20:39
Static task
static1
Behavioral task
behavioral1
Sample
DETAILS.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
DETAILS.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
HcDTvUxhMvlLtX.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
HcDTvUxhMvlLtX.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
lZrFnyxCjMmiEL.bat
Resource
win7-20220812-en
windows7-x64
General
-
Target
DETAILS.lnk
-
Size
995B
-
MD5
cadc4156a4d9e1c398f6eb54957a8c9b
-
SHA1
2fe2e1366bfcb30249188043d14f6cb749292989
-
SHA256
7e4816c16bd3766ccb4dba5e4dff725f3936233f8aff9cddb904347f17118cd7
-
SHA512
88a8c007d791c7dccf500762a587dd4438da4c53253cb43588e7ac216cd77ba97d5f6d59559a671ebcc120b8f2ae2befc6e03d5f3b8024c8d529f5805058db4e
Malware Config
Extracted
bumblebee
1710
198.98.59.245:443
146.19.173.148:443
45.61.185.227:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation cmd.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4144 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe 4144 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4372 wrote to memory of 1448 4372 cmd.exe 84 PID 4372 wrote to memory of 1448 4372 cmd.exe 84 PID 1448 wrote to memory of 4144 1448 cmd.exe 85 PID 1448 wrote to memory of 4144 1448 cmd.exe 85
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\DETAILS.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c lZrFnyxCjMmiEL.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\rundll32.exerundll32.exe HcDTvUxhMvlLtX.dll,FileUpload3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4144
-
-