Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
documents request.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
documents request.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
stats.dll
Resource
win7-20240708-en
General
-
Target
documents request.lnk
-
Size
1KB
-
MD5
c792b04c766ab57b49f5cfe33552a0ba
-
SHA1
badce1297ba8768de589ebae02c955fc99dd3fbe
-
SHA256
ccbd285306a104b9c4318202bc4afa15af5d285215922877086be4f928494112
-
SHA512
f9351239f546174314f2ddb2e311a9b8053ca2ab2d59d11541822f2df453ccd8faa477564ef19a5815b72c90f738fdabfc6c03592e9c9f81f18c254e79ff2747
Malware Config
Extracted
bumblebee
276l
172.93.193.124:443
45.153.241.64:443
45.153.241.19:443
Signatures
-
Bumblebee family
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse odbcconf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService odbcconf.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ odbcconf.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ odbcconf.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions odbcconf.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion odbcconf.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate odbcconf.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\SOFTWARE\Wine odbcconf.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN odbcconf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe 2044 odbcconf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2044 2236 cmd.exe 29 PID 2236 wrote to memory of 2044 2236 cmd.exe 29 PID 2236 wrote to memory of 2044 2236 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\documents request.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\System32\odbcconf.exe"C:\Windows\System32\odbcconf.exe" -f stats.rsp2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:2044
-