Overview

overview

10

Static

static

newfile111.xlsm

windows7-x64

1

newfile111.xlsm

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/11/2022, 13:32

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    newfile111.xlsm

  • Size

    56KB

  • MD5

    cd67efd2d67af651b798ef6e345399de

  • SHA1

    cd83b6f54770e1a856852c153800cca0a5d84bce

  • SHA256

    b34459452ccc6dc19b432455779d3c881926f202d93158e846f94d979e9361e7

  • SHA512

    39749837c3b4c7d224db7e6d81e71401f3b9376c743956b9c3fc4f098276f42a50488db971587a8c193832524a372844ec5e1929ea8afd599acbded314a845af

  • SSDEEP

    768:KtntW3gxWpt1J3S5f3v4Jfa3ODVs3KnooaRHIuZVvFn8+5/LNSlC10MoE:itfxWLC5/wJi3eVsdtLVv15/9foE

Score
10/10
bumblebee0411rtrojan

Malware Config

Extracted

Family

bumblebee

Botnet

0411r

C2

172.86.121.123:443

176.223.165.125:443

45.66.248.216:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Downloads MZ/PE file
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\newfile111.xlsm"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3836
    • C:\Windows\SYSTEM32\rundll32.exe
      rundll32 name.dll,SendData
      2⤵
      • Process spawned unexpected child process
      • Loads dropped DLL
      • Suspicious use of NtCreateThreadExHideFromDebugger
      PID:3168

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\Documents\name.dll
    Filesize

    992KB

    MD5

    625105a4360a1c57262d5e1abf589ba2

    SHA1

    ee10289a0b6e2fbc01680ebd78affd4e91508a6e

    SHA256

    0381eadbd30718d4d57ec54a9ee9f5113df770a24b9017e9b16a0e0804c86ec7

    SHA512

    1a74224b8ae6361715e5e98aac1e5fa1bef1047289588b732e0b8854ea967b21ba3bb60ec906276e4c1e89041dfade19482cc4a49a90aec6922434cd81b326f9

    Download Submit

  • C:\Users\Admin\Documents\name.dll
    Filesize

    992KB

    MD5

    625105a4360a1c57262d5e1abf589ba2

    SHA1

    ee10289a0b6e2fbc01680ebd78affd4e91508a6e

    SHA256

    0381eadbd30718d4d57ec54a9ee9f5113df770a24b9017e9b16a0e0804c86ec7

    SHA512

    1a74224b8ae6361715e5e98aac1e5fa1bef1047289588b732e0b8854ea967b21ba3bb60ec906276e4c1e89041dfade19482cc4a49a90aec6922434cd81b326f9

    Download Submit

  • memory/3168-142-0x0000024346B70000-0x0000024346CB9000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3168-143-0x0000024345020000-0x0000024345096000-memory.dmp

    Filesize

    472KB

    Download

  • memory/3836-132-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-134-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-133-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-135-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-136-0x00007FF7F2C90000-0x00007FF7F2CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-137-0x00007FF7F0330000-0x00007FF7F0340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3836-138-0x00007FF7F0330000-0x00007FF7F0340000-memory.dmp

    Filesize

    64KB

    Download