Overview

overview

10

Static

static

test.exe

windows7-x64

8

test.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2022 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    test.exe

  • Size

    2.7MB

  • MD5

    8fd4a4a504f74b802bfdaf03ec95a036

  • SHA1

    ef941774c3c50582ffaae6cfce6f18e50b7cf5d2

  • SHA256

    14bdd5687f39ec45ec665c360a96e503e0d6abfcb5ce7dc7285cbf2c16e9b92f

  • SHA512

    257f8084312bfbff3465cc5c484c7218f5bda1fa8b820c358ae40b6384e24373763d1f805d1e8d85a5418fc51c8d80959edf673ff3a467f2f523a6a2c53c45ba

  • SSDEEP

    49152:IBJhO6U1TlVSlRRltLYRd9mJ61KcWRN92hz61IiEEI3gL0td49T1LSqah:yjO6U1hVSlR/te2cPo+iI4z+P

Score
10/10
bumblebee2510evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

2510

C2

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\test.exe
    "C:\Users\Admin\AppData\Local\Temp\test.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C22C.tmp\C22D.tmp\C22E.bat C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe"
        3⤵
        • Checks computer location settings
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\name.js"
          4⤵
          • Checks computer location settings
          PID:4952
          • C:\Windows\System32\cmdkey.exe
            "C:\Windows\System32\cmdkey.exe" /generic:Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip /pass:kLjBEyO /user:""
            5⤵
              PID:3300
            • C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe
              "C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe"
              5⤵
              • Enumerates VirtualBox registry keys
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Looks for VirtualBox Guest Additions in registry
              • Executes dropped EXE
              • Checks BIOS information in registry
              • Identifies Wine through registry keys
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious behavior: EnumeratesProcesses
              PID:2168
            • C:\Windows\System32\cmdkey.exe
              "C:\Windows\System32\cmdkey.exe" /delete Microsoft_Windows_Shell_ZipFolder:filename=C:\Users\Admin\AppData\Local\Temp\2510c_cr69.zip
              5⤵
                PID:2972
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Mutual.pdf"
              4⤵
              • Checks processor information in registry
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3172
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:3324
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3C2433CF4722F06273295F35A27089D3 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                  6⤵
                    PID:4500
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9E2D697EE336B9FD3B5A82B804EF4AF0 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9E2D697EE336B9FD3B5A82B804EF4AF0 --renderer-client-id=2 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job /prefetch:1
                    6⤵
                      PID:1928
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CA2981831C5108C7CAC02BA0AF6DDB57 --mojo-platform-channel-handle=2184 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      6⤵
                        PID:2384
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=CC49AD3DAD292B81285EB2EDE1BB90F3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=CC49AD3DAD292B81285EB2EDE1BB90F3 --renderer-client-id=5 --mojo-platform-channel-handle=2204 --allow-no-sandbox-job /prefetch:1
                        6⤵
                          PID:1656
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0099AAEE44F1E4E808E57399C28F8987 --mojo-platform-channel-handle=2548 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                          6⤵
                            PID:2352
                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B60B265A169E94E2CBE5587124F0DA35 --mojo-platform-channel-handle=2664 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                            6⤵
                              PID:1640
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:2304

                    Network

                    MITRE ATT&CK Enterprise v6

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\C22C.tmp\C22D.tmp\C22E.bat
                      Filesize

                      1KB

                      MD5

                      38c904eb3b649ccd3cbf61d57b76c046

                      SHA1

                      1a699545e71e81c4c04ca1894bc3be9cc8f024b1

                      SHA256

                      4e58072d8f22782ef8e4e5a97ac7178cc7cd9a69b925ffe71537e79097263924

                      SHA512

                      a3613cd67349f05a1c4441202b100beac89ac0462f05586bed65bc28041488b03891dd86f7e80eb24ae2834a1b6929368db6d5f13a0d58904c3157e9a6363c86

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Mutual.pdf
                      Filesize

                      70KB

                      MD5

                      9672b8df2bfb3d9435b85e477dfead51

                      SHA1

                      be76ec9e0b5f903afea0943e9bbc7ffd6ef2766f

                      SHA256

                      73c818b60eea60e6c1a1e5688a373c6b8376ca4ea2ff269695fe6eeef134b3c8

                      SHA512

                      d3709875302560b329c6588c33a0fb7bf0083992298e9e26cd8282537f1224f720153df95af7fbc46b53531ba9fe8ff8af5370e9b7dc120a783e0fa44f4501b0

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe
                      Filesize

                      316KB

                      MD5

                      982bf5b99b3ca20cfc0d93444ca1c40d

                      SHA1

                      77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da

                      SHA256

                      7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1

                      SHA512

                      d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Mutual_67.pdf.exe
                      Filesize

                      316KB

                      MD5

                      982bf5b99b3ca20cfc0d93444ca1c40d

                      SHA1

                      77a6d8b1b01863ffd68bd0030b3b6122c4f6e1da

                      SHA256

                      7b83d9b8592def23e8ca5075c4d13e8c008bdb5f8a04763c57a5d56e14e3c1e1

                      SHA512

                      d1a0ffe634f4fff5427e5efd399146d7acb02ba582425e3b69ed5dd796e77caa29c37f50cfa544ad57e0f926f768336ee24a8132c1ea4ab5f3d27dd3c6edd508

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe
                      Filesize

                      2.7MB

                      MD5

                      bf5889c772dd1377789fb54da0c6d08c

                      SHA1

                      ffb4b43e63cdc19f6bd7904a8bccd16038780b23

                      SHA256

                      aea6933430252325e7bec04d778064ff973a4db0d7dd237622efca5ad1f7db20

                      SHA512

                      e34e4019694390c69084b05cea1707f730808a09521284ac7fe082e48eff9a0401fdb884f770dee3053a24247baca4a2c409f4be2d80da06dec9269d68053caa

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\Temp1_2510c_cr69.zip\2510c_cr69.exe
                      Filesize

                      2.7MB

                      MD5

                      bf5889c772dd1377789fb54da0c6d08c

                      SHA1

                      ffb4b43e63cdc19f6bd7904a8bccd16038780b23

                      SHA256

                      aea6933430252325e7bec04d778064ff973a4db0d7dd237622efca5ad1f7db20

                      SHA512

                      e34e4019694390c69084b05cea1707f730808a09521284ac7fe082e48eff9a0401fdb884f770dee3053a24247baca4a2c409f4be2d80da06dec9269d68053caa

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Temp\name.js
                      Filesize

                      2.9MB

                      MD5

                      a9f348be577f108d379aad0028581b62

                      SHA1

                      1b40e0080a659f9be8bc5f7d6ca55f455a8878d2

                      SHA256

                      9738196ea440301b0666fb6553b69e79ca60a563b6577d77d40aa871ed25c366

                      SHA512

                      6cb731f4f822de8a27738c1613e3633cc5c090f801dfb696f1c0eea6d389836be99c591e30886cceb895cf538b908ffa958c3ecebe7990032a9b265ed0b55274

                      Download Submit

                    • memory/2168-169-0x000001BC46210000-0x000001BC4635F000-memory.dmp

                      Filesize

                      1.3MB

                      Download

                    • memory/2168-168-0x000001BC46360000-0x000001BC464B3000-memory.dmp

                      Filesize

                      1.3MB

                      Download