Overview

overview

10

Static

static

Invoice_10...DF.iso

windows10-2004-x64

10

Resubmissions

08-10-2022 17:42

221008-v99veafbb9 10

08-10-2022 17:07

221008-vmz2pafae6 0

Analysis

  • max time kernel
    92s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2022 17:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Invoice_10-05_order_243_PDF.iso

  • Size

    5.1MB

  • MD5

    7ac101af437a95d3c807b700cea04b5c

  • SHA1

    fd13343f8385faf32457f68759f53d64933e08f3

  • SHA256

    a035499bec49b0cc817c1b28c54c3e54bf32da37ead102ddcecc774b78f787cc

  • SHA512

    c4ccfb59ce8e7e4ddc7e220e54775ea6132f1f471c7caefecae58bac4113ca77918aa4a65d782503c7f1c76a619a9bec5394a999f0bb6fd69b3feb6a36c12c01

  • SSDEEP

    49152:2i85Zvppa5zh0ldtkedFfzgoOxP0Jh44m:Fao9h6diYhaxP0Jh44m

Score
10/10
bumblebee0510evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0510

C2

51.83.250.102:443

150.125.181.52:443

208.115.216.246:443

192.119.77.44:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Invoice_10-05_order_243_PDF.iso
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:2028
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2832
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""E:\cobshyrawroe\readingbowling.bat" "
      1⤵
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:2364
      • C:\Windows\system32\xcopy.exe
        xcopy /s /i /e /h cobshyrawroe\sidesplitting.dat C:\Users\Admin\AppData\Local\Temp\*
        2⤵
          PID:5076
        • C:\Windows\system32\rundll32.exe
          rundll32 C:\Users\Admin\AppData\Local\Temp\sidesplitting.dat,ctrlrun
          2⤵
          • Enumerates VirtualBox registry keys
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Looks for VirtualBox Guest Additions in registry
          • Checks BIOS information in registry
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          PID:1340
      • C:\Windows\System32\NOTEPAD.EXE
        "C:\Windows\System32\NOTEPAD.EXE" E:\cobshyrawroe\readingbowling.bat
        1⤵
        • Enumerates connected drives
        PID:3300

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\sidesplitting.dat
        Filesize

        3.7MB

        MD5

        5f2108e9d4e01aa602780f444e288d4c

        SHA1

        dc2fcc2539c7b624469996c174ec3361d4f5434c

        SHA256

        f3035775e9bed079ad27360e3cb6efbc4877b9a1bf72ad6d42e63cff10650541

        SHA512

        e3aaaf69f5ce2b810a94369bd129e5c09485fbbdc98d4f3dbb85437f0cb042c03ce02f87ed7684e4188d8dc704f52b569fc7a2abcbeb38b3191a83d104c13f97

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\sidesplitting.dat
        Filesize

        3.7MB

        MD5

        5f2108e9d4e01aa602780f444e288d4c

        SHA1

        dc2fcc2539c7b624469996c174ec3361d4f5434c

        SHA256

        f3035775e9bed079ad27360e3cb6efbc4877b9a1bf72ad6d42e63cff10650541

        SHA512

        e3aaaf69f5ce2b810a94369bd129e5c09485fbbdc98d4f3dbb85437f0cb042c03ce02f87ed7684e4188d8dc704f52b569fc7a2abcbeb38b3191a83d104c13f97

        Download Submit

      • memory/1340-136-0x0000026EA5500000-0x0000026EA5653000-memory.dmp

        Filesize

        1.3MB

        Download