Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mount.dll

Overview

General Information

Sample Name:mount.dll
Analysis ID:622711
MD5:8e7115ea580f39c152e4d4bc4472c402
SHA1:4ea1f1d8a01f251fa5db350f72b04a1d11028fb0
SHA256:c65c51ed60f91a92789c4b056821ef51252baa2a1679a6513ab008acf0464ccb
Infos:

Detection

BumbleBee
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected BumbleBee
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Contain functionality to detect virtual machines
Searches for specific processes (likely to inject)
C2 URLs / IPs found in malware configuration
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Program does not show much activity (idle)
Contains long sleeps (>= 3 min)
AV process strings found (often used to terminate AV products)
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to query network adapater information
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll64.exe (PID: 4084 cmdline: loaddll64.exe "C:\Users\user\Desktop\mount.dll" MD5: 4E8A40CAD6CCC047914E3A7830A2D8AA)
    • cmd.exe (PID: 4812 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\mount.dll",#1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • rundll32.exe (PID: 640 cmdline: rundll32.exe "C:\Users\user\Desktop\mount.dll",#1 MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 6016 cmdline: rundll32.exe C:\Users\user\Desktop\mount.dll,shjKeAQfgT MD5: 73C519F050C20580F8A62C849D49215A)
    • rundll32.exe (PID: 4112 cmdline: rundll32.exe "C:\Users\user\Desktop\mount.dll",shjKeAQfgT MD5: 73C519F050C20580F8A62C849D49215A)
  • cleanup

Malware Configuration

Threatname: BumbleBee

{"C2 url": ["282.19.133.12:443", "91.122.18.192:443", "185.156.172.62:443", "72.123.65.11:443", "149.255.35.167:443", "172.241.27.146:443"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.779447807.0000021EF2FE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
    00000002.00000003.333797150.000001B97EC0E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
      00000003.00000003.333897258.0000021EF3D7C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
        00000004.00000002.779533341.000001C3386E0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
          00000004.00000003.338592600.000001C33946D000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.rundll32.exe.21ef2fe0000.0.raw.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
              3.2.rundll32.exe.21ef2fe0000.0.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
                4.2.rundll32.exe.1c3386e0000.2.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security
                  4.2.rundll32.exe.1c3386e0000.2.raw.unpackJoeSecurity_BumbleBeeYara detected BumbleBeeJoe Security

                    Sigma Signatures

                    No Sigma rule has matched

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 3.2.rundll32.exe.21ef2fe0000.0.unpackMalware Configuration Extractor: BumbleBee {"C2 url": ["282.19.133.12:443", "91.122.18.192:443", "185.156.172.62:443", "72.123.65.11:443", "149.255.35.167:443", "172.241.27.146:443"]}
                    Multi AV Scanner detection for submitted file
                    Source: mount.dllVirustotal: Detection: 49%Perma Link
                    Source: mount.dllMetadefender: Detection: 22%Perma Link
                    Source: mount.dllReversingLabs: Detection: 76%
                    Antivirus / Scanner detection for submitted sample
                    Source: mount.dllAvira: detected
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF302F050 CryptExportKey,CryptExportKey,3_2_0000021EF302F050
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF302F8B0 CryptAcquireContextW,CryptReleaseContext,3_2_0000021EF302F8B0
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF302F6B0 CryptEnumProvidersW,GetLastError,CryptEnumProvidersW,GetLastError,3_2_0000021EF302F6B0
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF302FCB0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptGetProvParam,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,3_2_0000021EF302FCB0
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF3144070 CryptCreateHash,3_2_0000021EF3144070
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF302E0B0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,3_2_0000021EF302E0B0
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF3030030 CryptEnumProvidersW,CryptEnumProvidersW,GetLastError,GetLastError,3_2_0000021EF3030030
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF304DED0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,QueryPerformanceCounter,GetTickCount,GlobalMemoryStatus,GetCurrentProcessId,3_2_0000021EF304DED0
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF3030380 CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertEnumCertificatesInStore,CertCloseStore,CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,3_2_0000021EF3030380
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF302E300 CryptCreateHash,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,3_2_0000021EF302E300
                    Source: C:\Windows\System32\rundll32.exeCode function: 3_2_0000021EF3030790 CryptDecrypt,3_2_0000021EF3030790
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872E300 CryptCreateHash,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,4_2_000001C33872E300
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C338730380 CertEnumCertificatesInStore,CertDuplicateCertificateContext,CertEnumCertificatesInStore,CertCloseStore,CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,4_2_000001C338730380
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872E660 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,4_2_000001C33872E660
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C338730700 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,4_2_000001C338730700
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C338730790 CryptDecrypt,4_2_000001C338730790
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872FCB0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptGetProvParam,CryptReleaseContext,CryptGetProvParam,GetLastError,CryptReleaseContext,4_2_000001C33872FCB0
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33874DED0 CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,CryptAcquireContextW,CryptGenRandom,CryptReleaseContext,QueryPerformanceCounter,GetTickCount,GlobalMemoryStatus,GetCurrentProcessId,4_2_000001C33874DED0
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C338730030 CryptEnumProvidersW,CryptEnumProvidersW,GetLastError,GetLastError,4_2_000001C338730030
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872E0B0 MultiByteToWideChar,MultiByteToWideChar,CryptAcquireContextW,CryptReleaseContext,4_2_000001C33872E0B0
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C338844070 CryptCreateHash,4_2_000001C338844070
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872F6B0 CryptEnumProvidersW,GetLastError,CryptEnumProvidersW,GetLastError,4_2_000001C33872F6B0
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872F8B0 CryptAcquireContextW,CryptReleaseContext,4_2_000001C33872F8B0
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C338730A60 CryptCreateHash,CryptSetHashParam,CryptSignHashW,CryptDestroyHash,4_2_000001C338730A60
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872ED70 CryptDestroyKey,CryptReleaseContext,CertFreeCertificateContext,4_2_000001C33872ED70
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872EE40 CryptAcquireContextW,CryptGetUserKey,CryptReleaseContext,4_2_000001C33872EE40
                    Source: C:\Windows\System32\rundll32.exeCode function: 4_2_000001C33872F050 CryptExportKey,CryptExportKey,4_2_000001C33872F050
                    Source: unknownHTTPS traffic detected: 185.156.172.62:443 -> 192.168.2.4:49773 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 185.156.172.62:443 -> 192.168.2.4:49774 version: TLS 1.2
                    Source: mount.dllStatic PE information: DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

                    Networking

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Windows\System32\rundll32.exeNetwork Connect: 91.122.18.192 443Jump to behavior
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: 282.19.133.12:443
                    Source: Malware configuration extractorURLs: 91.122.18.192:443<