Analysis

  • max time kernel
    134s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-02-2023 19:00

General

  • Target

    project information.lnk

  • Size

    981B

  • MD5

    ab75f98820d239a2f300d1258e65ff57

  • SHA1

    9571afbbc444cdf6ede14c0996e6e915ef21baed

  • SHA256

    0d395daea134bf3ad5d52e47424725842391ceef3fba206031038f9d9f570191

  • SHA512

    9929dc69ce18949b9b6efb36d501bb92a7ae7f18a82f61245088de474258ab8c33e701bc4e5f52394a7bbe80bec48269989ada0ed989ef206e3040b27a45a6ea

Score
10/10

Malware Config

Extracted

Family

bumblebee

Botnet

102lg

C2

146.70.29.237:443

205.185.113.34:443

23.106.223.182:443

103.144.139.146:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\project information.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:5056
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c cookies.bat
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Windows\system32\cmd.exe
        cmd.exe /c start /b /min copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\u9OwF0LTWHo.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /K copy /Y C:\Windows\System32\rundll32.exe C:\ProgramData\u9OwF0LTWHo.exe
          4⤵
            PID:1036
        • C:\ProgramData\u9OwF0LTWHo.exe
          "C:\ProgramData\u9OwF0LTWHo.exe" ambien.dll,stProgNew
          3⤵
          • Executes dropped EXE
          • Suspicious use of NtCreateThreadExHideFromDebugger
          PID:1752

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\u9OwF0LTWHo.exe

      Filesize

      70KB

      MD5

      ef3179d498793bf4234f708d3be28633

      SHA1

      dd399ae46303343f9f0da189aee11c67bd868222

      SHA256

      b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

      SHA512

      02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

    • C:\ProgramData\u9OwF0LTWHo.exe

      Filesize

      70KB

      MD5

      ef3179d498793bf4234f708d3be28633

      SHA1

      dd399ae46303343f9f0da189aee11c67bd868222

      SHA256

      b53f3c0cd32d7f20849850768da6431e5f876b7bfa61db0aa0700b02873393fa

      SHA512

      02aff154762d7e53e37754f878ce6aa3f4df5a1eb167e27f13d9762dced32bec892bfa3f3314e3c6dce5998f7d3c400d7d0314b9326eedcab72207c60b3d332e

    • memory/1752-138-0x000001DCCF330000-0x000001DCCF491000-memory.dmp

      Filesize

      1.4MB

    • memory/1752-139-0x000001DCCF0C0000-0x000001DCCF13F000-memory.dmp

      Filesize

      508KB