Analysis
-
max time kernel
184s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
09-12-2022 02:27
General
-
Target
0dSnW/document01.lnk
-
Size
1KB
-
MD5
c6f1fecaca46ba66f28625f252db236c
-
SHA1
9078d131c23cdb9ca4839553b1052e12e4fc55e0
-
SHA256
fbaa8b0ce2175c7a36192b7d4d35b359b344a37a2c2ce1460b7393f21ac8c05a
-
SHA512
c741047eba96ce3596b0198d81abfa17d53a2a9dce3973ef057f1cfacea537ae13e9f51be30c8ac4d0ee93914905a881a3e498b65ee1a206821a3553a6a21462
Malware Config
Extracted
bumblebee
0712
192.254.79.122:443
139.177.146.25:443
104.219.233.145:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Kills process with taskkill 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\0dSnW\document01.lnk1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c Page.bat2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\aMq7gB3fPYTY.exe3⤵
-
-
C:\Windows\system32\xcopy.exexcopy /h /y aboutUs.dll C:\ProgramData3⤵
-
-
C:\ProgramData\aMq7gB3fPYTY.exe"C:\ProgramData\aMq7gB3fPYTY.exe" C:\ProgramData\aboutUs.dll,CoReadNode3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
-
C:\Windows\system32\schtasks.exeSCHTASKS /create /tn "AppSelect" /f /tr "cmd.exe /c C:\programdata\aMq7gB3fPYTY.exe C:\programdata\aboutUs.dll,CoReadNode" /sc hourly /mo 1 /sd 01/01/2022 /st 00:003⤵
- Creates scheduled task(s)
-
-
C:\Windows\system32\taskkill.exetaskkill /F /im cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
Filesize
70KB
MD5ef3179d498793bf4234f708d3be28633
SHA1dd399ae46303343f9f0da189aee11c67bd868222
SHA256b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa
SHA51202aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e
-
Filesize
1.5MB
MD5829e1ae91a3362f708f6e9a9222279ed
SHA1ae505fd299c6c75660f88c8710b00f1ab8d42766
SHA256f70cbdde53a4bacee3410caf7666f303e6958f8d1d0fb678afbfa1093e38b4cb
SHA512030226487b6d3ae2c53ff9729be731f692c798208e25024ea914cee14e9bfcc2edc94b31a54e355fcef93d6ee5d8c5a260b3621170a6b3b09f6553984eaf1299
-
Filesize
1.5MB
MD5829e1ae91a3362f708f6e9a9222279ed
SHA1ae505fd299c6c75660f88c8710b00f1ab8d42766
SHA256f70cbdde53a4bacee3410caf7666f303e6958f8d1d0fb678afbfa1093e38b4cb
SHA512030226487b6d3ae2c53ff9729be731f692c798208e25024ea914cee14e9bfcc2edc94b31a54e355fcef93d6ee5d8c5a260b3621170a6b3b09f6553984eaf1299
-
Filesize
1.3MB
-
Filesize
468KB