bumblebee | 204888f940e1bfe5ef634403a096f4de5ef88b154f037539f5de7274d7f3349d

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2023 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

project requirements.lnk
Size

981B
MD5

9b512828eb27519424b4985ae1160075
SHA1

d73d9c30a84c83bcc54a53d42bff7d43eebba5b5
SHA256

14d23f1c4316b2748f257f72b3fdac993b304c73c58ebb12a754f27feb0050fc
SHA512

163d589c12c7214b5f0be5d1b7de78edd9e17d721c4de07c80a4c8a9895a116658212fd7d00c05588bb89c5b7eb1626b8ff2cf17ffb4f05a5700d27922c2f343

Score

10^/10

bumblebee 102lg trojan

Malware Config

Extracted

Family

bumblebee

Botnet

102lg

146.70.29.237:443

205.185.113.34:443

23.106.223.182:443

103.144.139.146:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
868	G84IrBV5PP.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
868	G84IrBV5PP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 1316	4988	cmd.exe	83
PID 4988 wrote to memory of 1316	4988	cmd.exe	83
PID 1316 wrote to memory of 3440	1316	cmd.exe	84
PID 1316 wrote to memory of 3440	1316	cmd.exe	84
PID 3440 wrote to memory of 3504	3440	cmd.exe	85
PID 3440 wrote to memory of 3504	3440	cmd.exe	85
PID 1316 wrote to memory of 868	1316	cmd.exe	86
PID 1316 wrote to memory of 868	1316	cmd.exe	86

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\project requirements.lnk"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c samsung.bat
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Windows\system32\cmd.exe
    cmd.exe /c start /b /min copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\G84IrBV5PP.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\G84IrBV5PP.exe
      4⤵
      PID:3504
- - C:\ProgramData\G84IrBV5PP.exe
    "C:\ProgramData\G84IrBV5PP.exe" Photos.dll,stProgNew
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtCreateThreadExHideFromDebugger
    PID:868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\G84IrBV5PP.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
C:\ProgramData\G84IrBV5PP.exe

Filesize
70KB

MD5
ef3179d498793bf4234f708d3be28633

SHA1
dd399ae46303343f9f0da189aee11c67bd868222

SHA256
b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

SHA512
02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

Download Submit
memory/868-138-0x000001E74C520000-0x000001E74C681000-memory.dmp

Filesize
1.4MB

Download
memory/868-139-0x000001E74AA30000-0x000001E74AAAF000-memory.dmp

Filesize
508KB

Download