Analysis

  • max time kernel
    83s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • submitted
    12-09-2022 20:29

General

  • Target

    iso.iso

  • Size

    4.2MB

  • MD5

    91d626d73fb0dbe45a28f7f49d890c3f

  • SHA1

    b218beed30ab0a02db2024100c7a181f16121365

  • SHA256

    033099c84bf080da3cae5075180d513861b9b993fef92ff948673ac8e7b23f19

  • SHA512

    b172891f4efb3754a6c13e287f13128b94cb28c2ad441935e8eba2597312816477d41fa2e17277764fc32f041fe4d45072f2c8616b7ea7d8053673c59ab96a73

  • SSDEEP

    24576:HKb9bASjbJSeycW5gLI+kEP02C7bswQqNLEueh0GHSeUhXedT3wH0zTgjX7Mn9Il:qpb2Pb3jUNGVJgvIOFkinJ/5aU9/Y

Malware Config

Extracted

Family

bumblebee

Botnet

1209

C2

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\iso.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:3860
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2800
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""E:\low\evasive.bat" "
      1⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4356
      • C:\Windows\system32\xcopy.exe
        xcopy /s /i /e /h low\foregathering.dat C:\Users\Admin\AppData\Local\Temp\*
        2⤵
          PID:3492
        • C:\Windows\system32\rundll32.exe
          rundll32 C:\Users\Admin\AppData\Local\Temp\foregathering.dat,vcsfile
          2⤵
          • Enumerates VirtualBox registry keys
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VirtualBox Guest Additions in registry
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:3624

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\foregathering.dat

        Filesize

        2.8MB

        MD5

        560ff04e980d8cf505916745f3ba43e4

        SHA1

        6098af187efa9c4f1973891c0ad1dc617564859a

        SHA256

        dd3f100f8dd4df4dc32b4587d47338446a239fc16c7c7938f12edfca1de29748

        SHA512

        7930337a653f8e2c02b7750d43307c9a60e2097c33e770547d3d2b0e9df1db3ffbf2df03d7726bcb718f97146caca7ff7e8517a0bd49eae2d4c16faa1cff5b7d

      • C:\Users\Admin\AppData\Local\Temp\foregathering.dat

        Filesize

        2.8MB

        MD5

        560ff04e980d8cf505916745f3ba43e4

        SHA1

        6098af187efa9c4f1973891c0ad1dc617564859a

        SHA256

        dd3f100f8dd4df4dc32b4587d47338446a239fc16c7c7938f12edfca1de29748

        SHA512

        7930337a653f8e2c02b7750d43307c9a60e2097c33e770547d3d2b0e9df1db3ffbf2df03d7726bcb718f97146caca7ff7e8517a0bd49eae2d4c16faa1cff5b7d

      • memory/3492-132-0x0000000000000000-mapping.dmp

      • memory/3624-133-0x0000000000000000-mapping.dmp

      • memory/3624-136-0x000001FD74B60000-0x000001FD74CC0000-memory.dmp

        Filesize

        1.4MB