Overview

overview

10

Static

static

Invoice_09...83.iso

windows10-2004-x64

10

Resubmissions

29-09-2022 16:59

220929-vhh8dabeb9 10

29-09-2022 16:54

220929-vehgnsbeb5 0

Analysis

  • max time kernel
    65s
  • max time network
    82s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-09-2022 16:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice_09-12-22_order_83.iso

  • Size

    4.2MB

  • MD5

    0c36704774ee6638904dee295615d300

  • SHA1

    cc1e1579b73dd1dac3fa16156e0056d11eaa3e87

  • SHA256

    5d5502e6a5a6ee273ffa23e8a400a1aa53d98a86299996194c338403098dcbdb

  • SHA512

    1fff99909ad09497cdc6f5c37ad7f3abc307daf0a7000d5b0e1456e2d184aa5b44b774f3ecd42f2fdc9d001566bdbb8c20900f1fc7bf78df925c85f75ff1bb34

  • SSDEEP

    49152:af+yMskuLMNWBqp6kzWjaNRVErtAuOm5gE2dkPa:af+EkuLS32tqmyE2Gy

Score
10/10
bumblebee1209evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

1209

C2

142.11.211.32:443

146.59.116.49:443

192.236.155.219:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_09-12-22_order_83.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:1976
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4916
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""E:\mar\compete.bat" "
      1⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Windows\system32\xcopy.exe
        xcopy /s /i /e /h mar\deconditioning.dat C:\Users\Admin\AppData\Local\Temp\*
        2⤵
          PID:696
        • C:\Windows\system32\rundll32.exe
          rundll32 C:\Users\Admin\AppData\Local\Temp\deconditioning.dat,vcsfile
          2⤵
          • Enumerates VirtualBox registry keys
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VirtualBox Guest Additions in registry
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:2200
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" E:\mar\compete.bat
        1⤵
        • Enumerates connected drives
        PID:968

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\deconditioning.dat
        Filesize

        2.8MB

        MD5

        8acc92f40298cd4daa5fd6ce6c71730f

        SHA1

        b5d65e27d27a760b43a76f72fc8ef5724fefeadf

        SHA256

        d32ce69eeeef39c600c6fb34882178b300845b81e53342f017ab127cb9d2e04a

        SHA512

        2797b80197231f6aac1229990a61fac542cb4cac90b92cb430d71da9ab3856eb04d194c35795262e6a586c2353f598e5f34fec442b1a56595ab2df08349f468d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\deconditioning.dat
        Filesize

        2.8MB

        MD5

        8acc92f40298cd4daa5fd6ce6c71730f

        SHA1

        b5d65e27d27a760b43a76f72fc8ef5724fefeadf

        SHA256

        d32ce69eeeef39c600c6fb34882178b300845b81e53342f017ab127cb9d2e04a

        SHA512

        2797b80197231f6aac1229990a61fac542cb4cac90b92cb430d71da9ab3856eb04d194c35795262e6a586c2353f598e5f34fec442b1a56595ab2df08349f468d

        Download Submit

      • memory/2200-136-0x000001E8CEB80000-0x000001E8CECE0000-memory.dmp

        Filesize

        1.4MB

        Download