Overview

overview

10

Static

static

New Folder.lnk

windows7-x64

10

New Folder.lnk

windows10-2004-x64

10

desk.dll

windows7-x64

10

desk.dll

windows10-2004-x64

10

Resubmissions

11-11-2022 08:08

221111-j1y6rscebm 10

12-05-2022 21:09

220512-zzj88aabg5 10

11-05-2022 17:34

220511-v5d7yahaan 10

Analysis

  • max time kernel
    58s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2022 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Folder.lnk

  • Size

    1KB

  • MD5

    f40f57579623acd5c105e59e23d25572

  • SHA1

    84b7fd207f04b59a1bad3287db7c75415c53a60d

  • SHA256

    83bbe84835486fc58812b378e3a149873c1d2404e8ba402dbbbefa48f6a18fd5

  • SHA512

    8bcd116fc97dbdb8a143eff16bbfd2e4ee1f10645da694a5bad05c4f7c9ed7e5a70908e764ab09b2011cee545a0a1fc934403e44c44f50edfbf028b383618c1c

Score
10/10
bumblebee1105aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

1105a

C2

142.11.222.79:443

23.254.224.200:443

103.175.16.52:443

199.195.252.30:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\New Folder.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3464
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" desk.dll,aCmHmjrptS
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious behavior: EnumeratesProcesses
      PID:2212

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2212-133-0x000001DAFEF90000-0x000001DAFF059000-memory.dmp

    Filesize

    804KB

    Download

  • memory/2212-134-0x00007FFBB0C60000-0x00007FFBB0C70000-memory.dmp

    Filesize

    64KB

    Download