bumblebee | 18ab01e312f13b5dcf847ffce6f2536083c24d7ed2195ddb84b5c106ff11fc24

Analysis

max time kernel
151s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-11-2022 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

project details.lnk
Size

995B
MD5

d9257c75c3196e49489be81a63e04cc9
SHA1

0caa3985f40ff5eb0c6d590d29654d226669578d
SHA256

3a988ed0f3b6dbc49f1e44be071df149c32cb5133c7bad96898ca3cbbf93d83b
SHA512

b4eaf6b098c05af6a0d50824e79ded405837e61e4bbdb1a93b802f1f30bc35a14af5db4997d4eb12d77c68f67e6f81ba38047bcd937807949a842d099935a709

Score

10^/10

bumblebee 0711 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

0711

85.239.52.15:443

85.239.54.192:443

85.239.52.113:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
1	1760	rundll32.exe
3	1760	rundll32.exe
4	1760	rundll32.exe
5	1760	rundll32.exe
6	1760	rundll32.exe
7	1760	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1760	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 1636	1632	cmd.exe	29
PID 1632 wrote to memory of 1636	1632	cmd.exe	29
PID 1632 wrote to memory of 1636	1632	cmd.exe	29
PID 1636 wrote to memory of 1760	1636	cmd.exe	30
PID 1636 wrote to memory of 1760	1636	cmd.exe	30
PID 1636 wrote to memory of 1760	1636	cmd.exe	30

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\project details.lnk"
1⤵
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c PDbfQsNCbKysMm.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\rundll32.exe
    rundll32 mGntZOOiFtyWBy.dll,csvcrun
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1632-54-0x000007FEFC611000-0x000007FEFC613000-memory.dmp

Filesize
8KB

Download
memory/1760-93-0x0000000001C60000-0x0000000001CD6000-memory.dmp

Filesize
472KB

Download
memory/1760-94-0x0000000001EB0000-0x0000000001FF9000-memory.dmp

Filesize
1.3MB

Download
memory/1760-95-0x0000000001C60000-0x0000000001CD6000-memory.dmp

Filesize
472KB

Download