Overview

overview

10

Static

static

documents.lnk

windows7_x64

10

documents.lnk

windows10-2004_x64

10

o7m2se.dll

windows7_x64

3

o7m2se.dll

windows10-2004_x64

3

Analysis

  • max time kernel
    91s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    2KB

  • MD5

    516c04aa962dfa0e35e7c992c0eb88a9

  • SHA1

    0ebc08f00d9eb38a72b43be9809162d3362a35de

  • SHA256

    a7885b210054b39cb48f1f95a6697480dfa5f81f5439b69b493ae36a0266d1df

  • SHA512

    92a0fa2f6c7dab55bf60079b33a00dd96aabc19a4a391bfc458a696da62e78035e251f7856a2f4c5665db115305f0aef97c5ab4fd4571c96a147b79fc370e1fe

Score
10/10
bumblebee507revasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

507r

C2

146.19.173.184:443

41.15.71.157:274

66.9.9.138:154

36.201.196.202:367

173.200.61.240:100

116.241.116.41:410

242.232.106.206:162

10.195.46.61:489

249.112.226.98:243

130.242.219.205:423

154.56.0.113:443

179.5.59.188:228

217.246.42.10:346

169.197.227.201:474

231.228.102.246:186

185.165.82.120:182

74.230.15.244:376

94.88.121.46:403

120.181.249.142:177

138.141.158.45:217
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4904
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start rundll32.exe o7m2se.dll,LLBMPMUsqf
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\system32\rundll32.exe
        rundll32.exe o7m2se.dll,LLBMPMUsqf
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:3340

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3340-132-0x0000020A4C450000-0x0000020A4C566000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3340-133-0x00007FFC98F40000-0x00007FFC98F50000-memory.dmp

    Filesize

    64KB

    Download