Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 23:27

General

  • Target

    documents request.lnk

  • Size

    1KB

  • MD5

    c792b04c766ab57b49f5cfe33552a0ba

  • SHA1

    badce1297ba8768de589ebae02c955fc99dd3fbe

  • SHA256

    ccbd285306a104b9c4318202bc4afa15af5d285215922877086be4f928494112

  • SHA512

    f9351239f546174314f2ddb2e311a9b8053ca2ab2d59d11541822f2df453ccd8faa477564ef19a5815b72c90f738fdabfc6c03592e9c9f81f18c254e79ff2747

Malware Config

Extracted

Family

bumblebee

Botnet

276l

C2

172.93.193.124:443

45.153.241.64:443

45.153.241.19:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

  • Bumblebee family
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\documents request.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\System32\odbcconf.exe
      "C:\Windows\System32\odbcconf.exe" -f stats.rsp
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Checks for VirtualBox DLLs, possible anti-VM trick
      • Suspicious behavior: EnumeratesProcesses
      PID:2044

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2044-38-0x0000000002250000-0x0000000002366000-memory.dmp

    Filesize

    1.1MB

  • memory/2044-39-0x00000000770B0000-0x0000000077259000-memory.dmp

    Filesize

    1.7MB

  • memory/2044-37-0x0000000002250000-0x0000000002366000-memory.dmp

    Filesize

    1.1MB

  • memory/2044-36-0x0000000077101000-0x0000000077102000-memory.dmp

    Filesize

    4KB

  • memory/2044-40-0x00000000770B0000-0x0000000077259000-memory.dmp

    Filesize

    1.7MB

  • memory/2044-41-0x00000000770B0000-0x0000000077259000-memory.dmp

    Filesize

    1.7MB

  • memory/2044-42-0x0000000002250000-0x0000000002366000-memory.dmp

    Filesize

    1.1MB

  • memory/2044-43-0x00000000770B0000-0x0000000077259000-memory.dmp

    Filesize

    1.7MB