Analysis
-
max time kernel
142s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
14-11-2022 17:17
General
-
Target
TA580_20221114.zip/project details.lnk
-
Size
995B
-
MD5
36c88fc4dad628187c082ebd899d448e
-
SHA1
6e27840f65ed3cc3c2b7af6778219e8681e3ec7a
-
SHA256
e420fc11b53ca2553521adf57668118b494cee687f54f64e79a5558f7a34c30f
-
SHA512
7709b7f348b56889a579da6b4efcc52d73372f3bcc4e0a93c721f6fb76540fc26f2f4aabad36385d291ef804e95efff9dc20bd7bc4e468117cfa29dd47ace6b5
Score
10/10
Malware Config
Extracted
Family
bumblebee
Botnet
1411
C2
107.189.13.247:443
64.44.102.241:443
54.37.130.24:443
rc4.plain
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Blocklisted process makes network request 6 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TA580_20221114.zip\project details.lnk"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c DDmEtxgXtOVOLY.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32 aGySCShDWxUsAj.dll,LoadNode3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
-
Filesize
480KB