Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
06-12-2022 23:16
General
-
Target
order.lnk
-
Size
1KB
-
MD5
b72d56cfad5baae4998ed2cfd973d32f
-
SHA1
ec16c82eff62e4b1beba2f04c9f5ecb0c955e3da
-
SHA256
ac8e67644d7b6b6f0bd78522a3568c98fe386a23542f73a2ec1a3cff4f433684
-
SHA512
5513fc13e402538a953b6db220b5b784eadd2f5326fdedad3820c794981ca6d2c2c361da7898aec31b7fdf5f0723b3fec656b2e532fa7b8a7628471d8d7ab1d5
Malware Config
Extracted
bumblebee
0612
23.106.223.144:443
139.177.146.137:443
172.86.123.150:443
149.3.170.236:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\order.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c matrix.bat2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\oiv0I4ymqE.exe3⤵
-
-
C:\Windows\system32\xcopy.exexcopy /h /y worldsex.dll C:\ProgramData3⤵
-
-
C:\ProgramData\oiv0I4ymqE.exe"C:\ProgramData\oiv0I4ymqE.exe" C:\ProgramData\worldsex.dll,mainRngSet3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /create /tn "DesktopApps" /f /tr "cmd.exe /c C:\programdata\oiv0I4ymqE.exe C:\programdata\worldsex.dll,mainRngSet" /sc hourly /mo 1 /sd 01/01/2022 /st 00:003⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\taskkill.exetaskkill /F /im cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
Filesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
Filesize
832KB
MD5e9574d9836286e631822e492a7b0d560
SHA1911cab76f98b0701ee53a70d30faad9dfbdaae1c
SHA2561436cd7b3ec8fc3941292fad31475711a89b050bd1d87cdbbbf2866394dad099
SHA5123b0a8a1ef518f01c6bff5614c10c15ef9d0380854721f543e4da738f2fc47548a2992bebe9538e636f0b5ee672bde92fea0c768b64dea87ef137dc13454fcd8f
-
Filesize
832KB
MD5e9574d9836286e631822e492a7b0d560
SHA1911cab76f98b0701ee53a70d30faad9dfbdaae1c
SHA2561436cd7b3ec8fc3941292fad31475711a89b050bd1d87cdbbbf2866394dad099
SHA5123b0a8a1ef518f01c6bff5614c10c15ef9d0380854721f543e4da738f2fc47548a2992bebe9538e636f0b5ee672bde92fea0c768b64dea87ef137dc13454fcd8f
-
Filesize
1.3MB
-
Filesize
468KB