bumblebee | 6581212a5a17193ec0a33c6df595b5d3718ffd2cf139f9e6d6200496511d4c99

Resubmissions

31-10-2022 11:02

221031-m5mkbaagb9 10

27-10-2022 17:41

221027-v9ez2adagn 10

Analysis

max time kernel
90s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2022 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

name.js
Size

2.9MB
MD5

a9f348be577f108d379aad0028581b62
SHA1

1b40e0080a659f9be8bc5f7d6ca55f455a8878d2
SHA256

9738196ea440301b0666fb6553b69e79ca60a563b6577d77d40aa871ed25c366
SHA512

6cb731f4f822de8a27738c1613e3633cc5c090f801dfb696f1c0eea6d389836be99c591e30886cceb895cf538b908ffa958c3ecebe7990032a9b265ed0b55274
SSDEEP

49152:kbjaWSNgrJ33PjAgEhI5rxK0uEuiY0YtZMK23Y:f

Score

10^/10

bumblebee 2510 evasion trojan

Malware Config

Extracted

Family

bumblebee

Botnet

2510

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	2510c_cr69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	2510c_cr69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	2510c_cr69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	2510c_cr69.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	2510c_cr69.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2510c_cr69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	2510c_cr69.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	2510c_cr69.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	2510c_cr69.exe

Executes dropped EXE 1 IoCs

pid	Process
4380	2510c_cr69.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2510c_cr69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2510c_cr69.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2510c_cr69.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	wscript.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Wine	2510c_cr69.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4380	2510c_cr69.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe
4380	2510c_cr69.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 1100	4788	wscript.exe	81
PID 4788 wrote to memory of 1100	4788	wscript.exe	81
PID 4788 wrote to memory of 4380	4788	wscript.exe	85
PID 4788 wrote to memory of 4380	4788	wscript.exe	85
PID 4788 wrote to memory of 1764	4788	wscript.exe	89
PID 4788 wrote to memory of 1764	4788	wscript.exe	89

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\name.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\System32\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip /pass:kLjBEyO /user:""
  2⤵
  PID:1100
- C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Windows\System32\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip
  2⤵
  PID:1764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe

Filesize
2.7MB

MD5
bf5889c772dd1377789fb54da0c6d08c

SHA1
ffb4b43e63cdc19f6bd7904a8bccd16038780b23

SHA256
aea6933430252325e7bec04d778064ff973a4db0d7dd237622efca5ad1f7db20

SHA512
e34e4019694390c69084b05cea1707f730808a09521284ac7fe082e48eff9a0401fdb884f770dee3053a24247baca4a2c409f4be2d80da06dec9269d68053caa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe

Filesize
2.7MB

MD5
bf5889c772dd1377789fb54da0c6d08c

SHA1
ffb4b43e63cdc19f6bd7904a8bccd16038780b23

SHA256
aea6933430252325e7bec04d778064ff973a4db0d7dd237622efca5ad1f7db20

SHA512
e34e4019694390c69084b05cea1707f730808a09521284ac7fe082e48eff9a0401fdb884f770dee3053a24247baca4a2c409f4be2d80da06dec9269d68053caa

Download Submit
memory/4380-136-0x0000024943EA0000-0x0000024943FF3000-memory.dmp

Filesize
1.3MB

Download
memory/4380-137-0x0000024943D50000-0x0000024943E9F000-memory.dmp

Filesize
1.3MB

Download