bumblebee | e65bee5931c1b6a56847d37b422d5a45a9f5ebef25da7f37298ee08d01847c89

Analysis

max time kernel
131s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2022 10:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Document_9698.iso
Size

980KB
MD5

580ca5949eb9343c7ef11f4b33d18d34
SHA1

99c3d33be090aecdfaa0578e9241a67b4a9775b9
SHA256

e65bee5931c1b6a56847d37b422d5a45a9f5ebef25da7f37298ee08d01847c89
SHA512

dc672231d7adb1bee98fb3cb5321985f976eb040f2adc6fdccca8af0addf8fb1bbadcf69cf85d4aff18be43fd261fe9cd7676aaa862db8668be0a977149e87b5
SSDEEP

12288:bAth+FYv2Mo+Rp0XZL9xa/H+091EHXP7ZCID1iQhc7RAVG2o+WVwDXsHLfumzOip:cn+FY+mmV9QW005hayuQXsrfumFPR

Score

10^/10

bumblebee 0211r trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0211r

193.109.120.156:443

192.111.146.184:443

104.219.233.113:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Executes dropped EXE 1 IoCs

pid	Process
4196	straighteningElaine.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	cmd.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4196	straighteningElaine.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	384	cmd.exe
Token: SeManageVolumePrivilege	384	cmd.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4108 wrote to memory of 4196	4108	cmd.exe	96
PID 4108 wrote to memory of 4196	4108	cmd.exe	96

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Document_9698.iso
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1132

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""E:\maidservant\snider.bat" "
1⤵
- Enumerates connected drives
- Suspicious use of WriteProcessMemory
PID:4108
- C:\Users\Admin\AppData\Local\Temp\straighteningElaine.exe
  C:\Users\Admin\AppData\Local\Temp\\straighteningElaine.exe maidservant\hasten.dat,Qruncore
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:4196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\straighteningElaine.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
memory/4196-134-0x000001B54E9A0000-0x000001B54EAE9000-memory.dmp

Filesize
1.3MB

Download
memory/4196-135-0x000001B54E7B0000-0x000001B54E826000-memory.dmp

Filesize
472KB

Download