Overview

overview

10

Static

static

NaTfRzldqphjNX.bat

windows7-x64

10

NaTfRzldqphjNX.bat

windows10-2004-x64

10

kcftZUmITYgNCj.dll

windows7-x64

3

kcftZUmITYgNCj.dll

windows10-2004-x64

3

project details.lnk

windows7-x64

10

project details.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-10-2022 22:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    project details.lnk

  • Size

    995B

  • MD5

    9495ea4d16857eedd24f80dd980f1c12

  • SHA1

    4a4743cbdcaa59cde9bd00dee81fe1c74c1a0538

  • SHA256

    c6ec33118502a7d05057a3e9d203ae569f664d9899a5a5e955c0cdf23cf6be00

  • SHA512

    8f4054bf35854ae2411fa8561fdd024051ec6ddb1ad9af017ad5dd31ebbebe998f2eb4bf8c2af815fbc7519f7876235cd460db9ce986d821eeaea4056fa67c94

Score
10/10
bumblebee1810evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

1810

C2

198.98.59.245:443

45.61.185.227:443

45.153.242.242:443

146.19.173.148:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\project details.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c NaTfRzldqphjNX.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1696
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe kcftZUmITYgNCj.dll,regtask
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:1120

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1120-90-0x0000000001DD0000-0x0000000001F23000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1952-54-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

    Filesize

    8KB

    Download