Overview

overview

10

Static

static

OyNrEOXqQnrBVp.dll

windows7-x64

10

OyNrEOXqQnrBVp.dll

windows10-2004-x64

10

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

swBdvsXKmEsXgd.bat

windows7-x64

10

swBdvsXKmEsXgd.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2022 22:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    documents.lnk

  • Size

    995B

  • MD5

    d427e019e49028f4062aaabac1d861aa

  • SHA1

    0eb483a71363383046df31ef34ad0adba2e2f92e

  • SHA256

    82be83916929f212ea1c6b41fa731a767140cec9ba3e0becf652c9185092ded5

  • SHA512

    68a0a7419d2fde01d4654c8703301385e0284c56303cde86234d7ba3d38a114b96c371924ee484c1b2e039042a1cecf4558e88bc8ac65662d66ecfc30fb4b75b

Score
10/10
bumblebee0311trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0311

C2

64.44.102.224:443

146.70.161.59:443

192.236.194.104:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Blocklisted process makes network request 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\documents.lnk
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1448
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c swBdvsXKmEsXgd.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\system32\rundll32.exe
        rundll32 OyNrEOXqQnrBVp.dll,BasicLoad
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        PID:1824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1448-54-0x000007FEFB9E1000-0x000007FEFB9E3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1824-93-0x0000000001F50000-0x0000000002099000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/1824-94-0x0000000001CC0000-0x0000000001D36000-memory.dmp

    Filesize

    472KB

    Download