Overview

overview

10

Static

static

required d...67.img

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2022 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    required document-98765467.img

  • Size

    2.2MB

  • MD5

    047cbb85d06edca7f59b76c543e0e52d

  • SHA1

    8e98fa171813c2c05357b4c5cc0b39fd4fc9df2f

  • SHA256

    37e3e7320ef755d965f27a51a76059c124c6de5019a43c838bfb9e5ed158cc9f

  • SHA512

    293074598ed1fc69462b1c9cc96d5a3935d7d969d8a56d37cee89b2d2f8be770d909b64b8aba1473964697362c25c76a414000053c0c8d7ef2a2c784ba8c2c48

  • SSDEEP

    24576:6DkZUvnqlux0IJxnJov44aUNoBOFvgcOvF9RTySFWyFS67QsnK:6w6Tuv4EoVpySsCEO

Score
10/10
bumblebee14lgtrojan

Malware Config

Extracted

Family

bumblebee

Botnet

14lg

C2

172.86.121.56:443

172.86.121.59:443

91.245.254.97:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\required document-98765467.img"
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4960
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2856
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c opinions.bat
      1⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Suspicious use of WriteProcessMemory
      PID:4824
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /K copy /y /b C:\Windows\System32\rundll32.exe C:\ProgramData\foI4lOHbjKlJKR.exe
        2⤵
          PID:3444
        • C:\Windows\system32\xcopy.exe
          xcopy /h /y policies.dll C:\ProgramData
          2⤵
            PID:2308
          • C:\ProgramData\foI4lOHbjKlJKR.exe
            "C:\ProgramData\foI4lOHbjKlJKR.exe" C:\ProgramData\policies.dll,CurkpvWin
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of NtCreateThreadExHideFromDebugger
            PID:4436
          • C:\Windows\system32\schtasks.exe
            SCHTASKS /create /tn "DesktopViewer" /f /tr "cmd.exe /c C:\programdata\foI4lOHbjKlJKR.exe C:\programdata\policies.dll,CurkpvWin" /sc hourly /mo 1 /sd 01/01/2022 /st 00:00
            2⤵
            • Creates scheduled task(s)
            PID:3256
          • C:\Windows\system32\taskkill.exe
            taskkill /F /im cmd.exe
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:2672

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\foI4lOHbjKlJKR.exe
          Filesize

          70KB

          MD5

          ef3179d498793bf4234f708d3be28633

          SHA1

          dd399ae46303343f9f0da189aee11c67bd868222

          SHA256

          b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

          SHA512

          02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

          Download Submit

        • C:\ProgramData\foI4lOHbjKlJKR.exe
          Filesize

          70KB

          MD5

          ef3179d498793bf4234f708d3be28633

          SHA1

          dd399ae46303343f9f0da189aee11c67bd868222

          SHA256

          b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

          SHA512

          02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

          Download Submit

        • C:\ProgramData\policies.dll
          Filesize

          1015KB

          MD5

          8cc39d6695dc1db53a39bc8cd611411d

          SHA1

          842ce302441a3f94d82cbf33ff3515a766c6035d

          SHA256

          09ac0f7bde4d44ace68854f965fad27ad08037fcffc9c4f6d970c0af6a58b50b

          SHA512

          6f21fa303a4dd384fb3778d64a0c9c89662fb4563a093729ade12efedc9b5c7b3587979f7660efedc731f566e9f5e9abefb36fa62bd61b9b9230f1d46c8b53cf

          Download Submit

        • C:\ProgramData\policies.dll
          Filesize

          1015KB

          MD5

          8cc39d6695dc1db53a39bc8cd611411d

          SHA1

          842ce302441a3f94d82cbf33ff3515a766c6035d

          SHA256

          09ac0f7bde4d44ace68854f965fad27ad08037fcffc9c4f6d970c0af6a58b50b

          SHA512

          6f21fa303a4dd384fb3778d64a0c9c89662fb4563a093729ade12efedc9b5c7b3587979f7660efedc731f566e9f5e9abefb36fa62bd61b9b9230f1d46c8b53cf

          Download Submit

        • memory/4436-144-0x000001596AC50000-0x000001596AD99000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/4436-145-0x000001596AA90000-0x000001596AB06000-memory.dmp

          Filesize

          472KB

          Download