Analysis
-
max time kernel
1246s -
max time network
1252s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
31-10-2022 20:40
Static task
static1
Behavioral task
behavioral1
Sample
evwvwet543yc0.dll
Resource
win7-20220901-en
windows7-x64
10 signatures
1200 seconds
General
-
Target
evwvwet543yc0.dll
-
Size
2.8MB
-
MD5
63a316eba32ceedb0a6f2c02499fee0d
-
SHA1
c95091727e0b80206bc08fe6f5419f7fa0b6a719
-
SHA256
5c15151a29fab8a2d58fa55aa6c88a58a456b0a6bc959b843e9ceb2295c61885
-
SHA512
9d17db2d937cffee92c1897e26db01bc1d41262f4aae4fcb6746ddc897a00e901686dab876a3fa48a682efcd617b05dfaa0522f066f6dfca7a54fbda921917ac
-
SSDEEP
49152:AY1LnDpAyAelZQtflyyyuSXfiCC8M7vZ+x1BxkJj52DTUFPRAK8hVgi:3pDAZlyyyuSXfiCC8M7vZ+x1BxkJjKUq
Malware Config
Extracted
Family
bumblebee
Botnet
2809
C2
224.56.150.48:443
209.141.41.150:443
192.119.68.104:443
51.83.249.124:443
rc4.plain
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 10 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe -
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Wine rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2020 rundll32.exe 1968 rundll32.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2024 1328 WerFault.exe 8 1404 1384 WerFault.exe 29 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 2020 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe 1968 rundll32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1328 wrote to memory of 2024 1328 rundll32.exe 26 PID 1328 wrote to memory of 2024 1328 rundll32.exe 26 PID 1328 wrote to memory of 2024 1328 rundll32.exe 26 PID 808 wrote to memory of 1384 808 cmd.exe 29 PID 808 wrote to memory of 1384 808 cmd.exe 29 PID 808 wrote to memory of 1384 808 cmd.exe 29 PID 1384 wrote to memory of 1404 1384 rundll32.exe 30 PID 1384 wrote to memory of 1404 1384 rundll32.exe 30 PID 1384 wrote to memory of 1404 1384 rundll32.exe 30 PID 808 wrote to memory of 2020 808 cmd.exe 31 PID 808 wrote to memory of 2020 808 cmd.exe 31 PID 808 wrote to memory of 2020 808 cmd.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\evwvwet543yc0.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1328 -s 842⤵
- Program crash
PID:2024
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\system32\rundll32.exerundll32 evwvwet543yc0.dll,#22⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1384 -s 843⤵
- Program crash
PID:1404
-
-
-
C:\Windows\system32\rundll32.exerundll32 evwvwet543yc0.dll,#32⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2020
-
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1988
-
C:\Windows\system32\rundll32.exerundll32 evwvwet543yc0.dll,#32⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1968
-