Overview

overview

10

Static

static

docs.bat

windows7_x64

10

docs.bat

windows10_x64

10

docs.bat

windows10-2004_x64

10

docs.bat

windows11_x64

documents.lnk

windows7_x64

10

documents.lnk

windows10_x64

10

documents.lnk

windows10-2004_x64

10

documents.lnk

windows11_x64

palerma3.dll

windows7_x64

10

palerma3.dll

windows10_x64

10

palerma3.dll

windows10-2004_x64

10

palerma3.dll

windows11_x64

Analysis

  • max time kernel
    71s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    10/06/2022, 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    2KB

  • MD5

    5d48299aa0f1b1b03af9e88b49991a2f

  • SHA1

    8f8f3380f47eeef5219a4e00ed9f9b9c7f7a8c97

  • SHA256

    8d7326d4224dbc0237d7b46969a9b65ce46ad5309627ef9704833cae388f56b1

  • SHA512

    f8cc047e90af1dcf32e7ab49b48fdeead1c379cc22f21c8223ee1045961ce6524aebcde9f02d461942730d673d26b4edbc6eef7320aacfc3412c8e524263cf07

Score
10/10
bumblebee6rrevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

6rr

C2

145.239.30.26:443

194.37.97.135:443

185.62.58.238:443

176.107.177.124:443

192.236.160.254:443

192.236.192.85:443

185.62.56.201:443

103.175.16.59:443

198.98.57.91:443

154.56.0.221:443

64.44.101.250:443

103.175.16.117:443

63.141.248.253:443

192.236.194.136:443

193.239.84.247:443

192.236.161.191:443

185.156.172.123:443

54.38.136.187:443

64.44.102.6:443

192.119.64.21:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4480
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start docs.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K docs.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\system32\rundll32.exe
          RunDll32 palerma3.dll,nHqRHTKVae
          4⤵
          • Enumerates VirtualBox registry keys
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VirtualBox Guest Additions in registry
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Suspicious behavior: EnumeratesProcesses
          PID:2720

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2720-133-0x0000023C8F640000-0x0000023C8F757000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2720-134-0x00007FF8DC940000-0x00007FF8DC950000-memory.dmp

    Filesize

    64KB

    Download