bumblebee | 8149cfdaf8eb8c810c0439a3461c62f032b268448b6054a78157a425a4ce679c

Resubmissions

11/06/2022, 13:38

220611-qxsm5sbaa9 10

30/03/2022, 15:09

220330-sjyncadcd5 9

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220414-en
submitted
11/06/2022, 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

documents.lnk
Size

1KB
MD5

63249b1d5afdb63750f55dad00e211d0
SHA1

116046209898e4d4004dfa7517d56416cc360190
SHA256

467d6e92d3a3c27b2e6c0c75ce20a031c3408f1a58ff09dd5f2c60d6996ad4a0
SHA512

697ebc4a06f65c0409be386b8655024ee59d99ed588eb0c59ec00daec64e2623c74279f411719f152bfd5fb0eb21f07790755d7ba6373891e8eca89985166e51

Score

10^/10

bumblebee leg1 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

LEG1

45.147.229.177:443

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	appbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	appbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	appbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	appbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	appbuild.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	appbuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	appbuild.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	appbuild.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	appbuild.exe

Looks for VMWare Tools registry key 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools	appbuild.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	appbuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	appbuild.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	appbuild.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\SOFTWARE\Wine	appbuild.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe
1144	appbuild.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 588	1504	cmd.exe	28
PID 1504 wrote to memory of 588	1504	cmd.exe	28
PID 1504 wrote to memory of 588	1504	cmd.exe	28
PID 588 wrote to memory of 1144	588	rundll32.exe	29
PID 588 wrote to memory of 1144	588	rundll32.exe	29
PID 588 wrote to memory of 1144	588	rundll32.exe	29

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" advpack.dll,RegisterOCX appbuild.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:588
- - C:\Users\Admin\AppData\Local\Temp\appbuild.exe
    appbuild.exe /RegServer
    3⤵
    - Enumerates VirtualBox registry keys
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Looks for VirtualBox Guest Additions in registry
    - Looks for VMWare Tools registry key
    - Checks BIOS information in registry
    - Identifies Wine through registry keys
    - Suspicious behavior: EnumeratesProcesses
    PID:1144

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-93-0x0000000001C60000-0x0000000001EAD000-memory.dmp

Filesize
2.3MB

Download
memory/1504-54-0x000007FEFC0B1000-0x000007FEFC0B3000-memory.dmp

Filesize
8KB

Download