Overview

overview

10

Static

static

oFWkRTFwjm.zip

windows10_x64

4

oFWkRTFwjm.zip

windows10-2004_x64

1

document.iso

windows10_x64

3

document.iso

windows10-2004_x64

3

documents.lnk

windows10_x64

10

documents.lnk

windows10-2004_x64

10

lipes.dll

windows10_x64

lipes.dll

windows10-2004_x64

Resubmissions

10-10-2022 17:13

221010-vrjkhacggj 10

03-06-2022 21:56

220603-1tra1seah3 1

03-06-2022 21:55

220603-1swt4sabgp 1

03-06-2022 21:38

220603-1hbq7adhf4 10

03-06-2022 21:28

220603-1brttsdha7 10

Analysis

  • max time kernel
    495s
  • max time network
    498s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-06-2022 21:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    1KB

  • MD5

    dcfc03467dc198612184a307837073d0

  • SHA1

    1fc2d8047e27d14e91c1061a07cc77fd8404747b

  • SHA256

    23e0f3debe5e378bd4ca50ee5243ec67f979ab66507b8ca97310c94706901c4a

  • SHA512

    97ba6aab3917be2da603cc7c9fd629dea478c13b7947400d2bf9bba6676e41b04b5588dc61ee9d39a2121d427bf2a602117fbec0d7071109be69333afbea1afa

Score
10/10
bumblebee106revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

106r

C2

144.19.20.11:443

150.27.81.2:443

46.21.153.145:443

109.45.29.202:443

6.30.139.246:443

236.110.58.103:443

36.110.58.103:443

149.255.35.134:443

9.63.15.101:443

45.147.229.50:443

184.23.74.168:443

139.24.56.111:443

243.45.135.100:443

21.246.85.34:443

79.44.167.23:443

30.17.4.146:443

56.134.87.45:443

16.46.4.333:443

224.145.6.33:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" lipes.dll,oFWkRTFwjm
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious behavior: EnumeratesProcesses
      PID:2132

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2132-131-0x00000222DE610000-0x00000222DE727000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2132-132-0x00007FFE4D540000-0x00007FFE4D550000-memory.dmp

    Filesize

    64KB

    Download