bumblebee | 547294e9d1cd43c6d8582d62813c7aa26b81ef8affe7d16f3657a4ae202af1b1

General

Target

license.lnk
Size

1KB
MD5

377afef57fefdb218447d638af7d4100
SHA1

0e8aec41d862caaebda8e9ce6db0c240bd3fc37b
SHA256

20913c758b88611778b28a5eada7bf762b56f20de8b687886968aad9f12e6129
SHA512

f327fcd9d64094fe23bf7f28ec176e07d24eba2d9140ff321ba2343c6ce5761b9de5522d117a2a5c82096966fc4319d9034da7457a6b7a81260a63f320f483a7

Score

10^/10

bumblebee 1412 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1412

C2

108.62.141.52:443

23.82.140.180:443

198.98.51.235:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Executes dropped EXE 1 IoCs

pid	Process
2000	kyR1JyHYpWnDvn.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2000	kyR1JyHYpWnDvn.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2000	kyR1JyHYpWnDvn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2812	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2904	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	taskkill.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 5116	2552	cmd.exe	83
PID 2552 wrote to memory of 5116	2552	cmd.exe	83
PID 5116 wrote to memory of 3184	5116	cmd.exe	84
PID 5116 wrote to memory of 3184	5116	cmd.exe	84
PID 5116 wrote to memory of 4752	5116	cmd.exe	85
PID 5116 wrote to memory of 4752	5116	cmd.exe	85
PID 5116 wrote to memory of 2000	5116	cmd.exe	86
PID 5116 wrote to memory of 2000	5116	cmd.exe	86
PID 5116 wrote to memory of 2812	5116	cmd.exe	88
PID 5116 wrote to memory of 2812	5116	cmd.exe	88
PID 5116 wrote to memory of 2904	5116	cmd.exe	89
PID 5116 wrote to memory of 2904	5116	cmd.exe	89

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\license.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c forum_old.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\kyR1JyHYpWnDvn.exe
    3⤵
    PID:3184
- - C:\Windows\system32\xcopy.exe
    xcopy /h /y devx_foot2.dll C:\ProgramData
    3⤵
    PID:4752
- - C:\ProgramData\kyR1JyHYpWnDvn.exe
    "C:\ProgramData\kyR1JyHYpWnDvn.exe" C:\ProgramData\devx_foot2.dll,CurkpvWin
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:2000
- - C:\Windows\system32\schtasks.exe
    SCHTASKS /create /tn "DesktopViewer" /f /tr "cmd.exe /c C:\programdata\kyR1JyHYpWnDvn.exe C:\programdata\devx_foot2.dll,CurkpvWin" /sc hourly /mo 1 /sd 01/01/2022 /st 00:00
    3⤵
    - Creates scheduled task(s)
    PID:2812
- - C:\Windows\system32\taskkill.exe
    taskkill /F /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\devx_foot2.dll

Filesize
1005KB

MD5
b955bf20f8c1b01b9f1d12023183115d

SHA1
1649e261310a5cd12965bc7a6440c18adaeea6b9

SHA256
84155dc50b0e963c16477793e5814b9feb9603b80924a047d7558a26228b6749

SHA512
4bee83ee71c7ce24d2488170c1b15861e280efa25637447d4b1b18acfcbe178ba4a21d70590771f617219dc20b26fec1da9b3ffd00480cfe06efc1833237a1e7

Download Submit
C:\ProgramData\devx_foot2.dll

Filesize
1005KB

MD5
b955bf20f8c1b01b9f1d12023183115d

SHA1
1649e261310a5cd12965bc7a6440c18adaeea6b9

SHA256
84155dc50b0e963c16477793e5814b9feb9603b80924a047d7558a26228b6749

SHA512
4bee83ee71c7ce24d2488170c1b15861e280efa25637447d4b1b18acfcbe178ba4a21d70590771f617219dc20b26fec1da9b3ffd00480cfe06efc1833237a1e7

Download Submit
C:\ProgramData\kyR1JyHYpWnDvn.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\ProgramData\kyR1JyHYpWnDvn.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
memory/2000-142-0x0000021C239B0000-0x0000021C23A26000-memory.dmp

Filesize
472KB

Download
memory/2000-143-0x0000021C23B70000-0x0000021C23CB9000-memory.dmp

Filesize
1.3MB

Download
memory/2000-144-0x0000021C239B0000-0x0000021C23A26000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads