Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:27
Static task
static1
Behavioral task
behavioral1
Sample
documents request.lnk
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
documents request.lnk
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
stats.dll
Resource
win7-20240708-en
General
-
Target
stats.dll
-
Size
1.4MB
-
MD5
c978236aacb56975104135b96301fd79
-
SHA1
bc9e252dbbbb25a7d3895abf7873ad14ee36c268
-
SHA256
b8e8284f3e999db3333a0a8e79132cce4462ccc3c5875b1be7f5e9a2d8e44966
-
SHA512
b6f3a476361b2fe7f262486a0b9167555ec77e5915def548c4b4b01bc93cb0e853b1f64f7177998f4216476e8e5e0cc7151f017252a9f0caef1da3c2baa3871c
-
SSDEEP
24576:OsgeDrXBXQS1d7ns+pHB7e0L3/SQUOyxv0dzf9044vunpt:OsgeF7ZsaJR3/SQUO+0dLcv
Malware Config
Extracted
bumblebee
276l
172.93.193.124:443
45.153.241.64:443
45.153.241.19:443
Signatures
-
Bumblebee family
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo regsvr32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ regsvr32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ regsvr32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions regsvr32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion regsvr32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate regsvr32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Wine regsvr32.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe 1728 regsvr32.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\stats.dll1⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks for VirtualBox DLLs, possible anti-VM trick
- Suspicious behavior: EnumeratesProcesses
PID:1728