bumblebee | b47bad8968dbe798ac7dc1a5648206c1819160ecd68449d9dd82ba19a0296288

max time kernel
124s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
28-09-2022 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Invoice_09-12-22_order_157.iso
Size

4.2MB
MD5

b1938ffbd6dcc69183382302604e84e5
SHA1

6d9984400b133cf92289d8ccd129f5d7133ce268
SHA256

b47bad8968dbe798ac7dc1a5648206c1819160ecd68449d9dd82ba19a0296288
SHA512

736e695281ed259e616d0862c64ebff16cd845767e5998162f0e7e0fe0161a0be037d17be5beb8ccade317008004880b834dab851cff04897bfa434995d33a3c
SSDEEP

49152:PA4O7LDVaMxLT7IHXcnfwYcoAVGnUmEd70dl4ievKgTN:PAZD3SYUmE2dl4jK

Score

10^/10

bumblebee 1209 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1209

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	rundll32.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	rundll32.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	rundll32.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	rundll32.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

rundll32.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

212 rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine	rundll32.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

212 rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings cmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

rundll32.exe

pid	process
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe
212	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exe

description pid process

Token: SeManageVolumePrivilege 464 cmd.exe
Token: SeManageVolumePrivilege 464 cmd.exe

description	pid	process
Token: SeManageVolumePrivilege	464	cmd.exe
Token: SeManageVolumePrivilege	464	cmd.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3944 wrote to memory of 2404	3944	cmd.exe	xcopy.exe
PID 3944 wrote to memory of 2404	3944	cmd.exe	xcopy.exe
PID 3944 wrote to memory of 212	3944	cmd.exe	rundll32.exe
PID 3944 wrote to memory of 212	3944	cmd.exe	rundll32.exe
PID 4452 wrote to memory of 2316	4452	cmd.exe	xcopy.exe
PID 4452 wrote to memory of 2316	4452	cmd.exe	xcopy.exe
PID 1296 wrote to memory of 4164	1296	cmd.exe	xcopy.exe
PID 1296 wrote to memory of 4164	1296	cmd.exe	xcopy.exe
PID 2088 wrote to memory of 1880	2088	cmd.exe	xcopy.exe
PID 2088 wrote to memory of 1880	2088	cmd.exe	xcopy.exe
PID 4652 wrote to memory of 2664	4652	cmd.exe	xcopy.exe
PID 4652 wrote to memory of 2664	4652	cmd.exe	xcopy.exe
PID 4332 wrote to memory of 2128	4332	cmd.exe	xcopy.exe
PID 4332 wrote to memory of 2128	4332	cmd.exe	xcopy.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_09-12-22_order_157.iso
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\mag\estuary.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h mag\countermanding.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:2404

C:\Windows\system32\rundll32.exe
rundll32 C:\Users\Admin\AppData\Local\Temp\countermanding.dat,vcsfile
2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\mag\estuary.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4452

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h mag\countermanding.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:2316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\mag\estuary.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h mag\countermanding.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:4164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\mag\estuary.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h mag\countermanding.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:1880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\mag\estuary.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4652

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h mag\countermanding.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\mag\estuary.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4332

C:\Windows\system32\xcopy.exe
xcopy /s /i /e /h mag\countermanding.dat C:\Users\Admin\AppData\Local\Temp\*
2⤵
PID:2128

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\countermanding.dat
Filesize
2.8MB

MD5
1c33ff54542ea652f6d4eba0ec1f3ac3

SHA1
0f7b0dacdfc9cb37ab1aa84474673dd186e0739a

SHA256
b717633aca32bf358c9a4c7c82b4e54a1d78898a9c158ac4fb56f8327c0495a2

SHA512
57826879dbaa47fa592e74699b7f561e9a688af3e1db312fb33e61ac7a8c041b931834bc52fb8eb2d354de9fa3470a56850ef6dbd294b87fb63afcb8cf6d3303

Download Submit
C:\Users\Admin\AppData\Local\Temp\countermanding.dat
Filesize
2.8MB

MD5
1c33ff54542ea652f6d4eba0ec1f3ac3

SHA1
0f7b0dacdfc9cb37ab1aa84474673dd186e0739a

SHA256
b717633aca32bf358c9a4c7c82b4e54a1d78898a9c158ac4fb56f8327c0495a2

SHA512
57826879dbaa47fa592e74699b7f561e9a688af3e1db312fb33e61ac7a8c041b931834bc52fb8eb2d354de9fa3470a56850ef6dbd294b87fb63afcb8cf6d3303

Download Submit
memory/212-133-0x0000000000000000-mapping.dmp

Download
memory/212-137-0x00000177067B0000-0x0000017706910000-memory.dmp

Filesize
1.4MB

Download
memory/1880-139-0x0000000000000000-mapping.dmp

Download
memory/2128-141-0x0000000000000000-mapping.dmp

Download
memory/2316-136-0x0000000000000000-mapping.dmp

Download
memory/2404-132-0x0000000000000000-mapping.dmp

Download
memory/2664-140-0x0000000000000000-mapping.dmp

Download
memory/4164-138-0x0000000000000000-mapping.dmp

Download