bumblebee | 9086c173ad998545a39547935579ab6ee7a8db5e13d04643a8ca558fd67805dc

Analysis

max time kernel
31s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
06-03-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote.lnk
Size

1KB
MD5

4166dc23c9ffb1fe465288801da97ca9
SHA1

0e7319378d7cb33f123cd804630c7644384e8931
SHA256

940182dd2eaf42327457d249f781274b07e7978b62dca0ae4077b438a8e13937
SHA512

60d65cd412938bb55cd268ac81ba05e90790a12755b1d2bcdc351339dac88339b6851e1272716cb3dc3652900226b098b2c3b9b137bcc820510b65f36cb03aff

Score

10^/10

bumblebee 1508 evasion trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

172.93.201.138:443

116.142.140.251:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	powershell.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	powershell.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	powershell.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	powershell.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\SOFTWARE\Wine	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1760	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe
1760	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1760	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 1760	1416	cmd.exe	29
PID 1416 wrote to memory of 1760	1416	cmd.exe	29
PID 1416 wrote to memory of 1760	1416	cmd.exe	29
PID 1760 wrote to memory of 2044	1760	powershell.exe	30
PID 1760 wrote to memory of 2044	1760	powershell.exe	30
PID 1760 wrote to memory of 2044	1760	powershell.exe	30
PID 2044 wrote to memory of 1848	2044	csc.exe	31
PID 2044 wrote to memory of 1848	2044	csc.exe	31
PID 2044 wrote to memory of 1848	2044	csc.exe	31
PID 1760 wrote to memory of 1780	1760	powershell.exe	32
PID 1760 wrote to memory of 1780	1760	powershell.exe	32
PID 1760 wrote to memory of 1780	1760	powershell.exe	32
PID 1780 wrote to memory of 1916	1780	csc.exe	33
PID 1780 wrote to memory of 1916	1780	csc.exe	33
PID 1780 wrote to memory of 1916	1780	csc.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Quote.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file quotefile.ps1
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qdkimebk.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C8.tmp"
      4⤵
      PID:1848
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wvxkyyns.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1780
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A35.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A34.tmp"
      4⤵
      PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES3A35.tmp

Filesize
1KB

MD5
bd530d1e0b3817cee772bd71a1d82a8f

SHA1
8d53d51753a629e3245c1948e1be655a696488db

SHA256
d656f343146961468c334f62ef1392fcc831cc0f34e69a5a8d51d8a1fc3df0d1

SHA512
c3fe19eaa5863c0a056bd52c64db141fe17c4bb0df131bcad4b1993995fcca01524e08a666515bfc6a57b2a06fed75e115ff20433ce9d3e53b0badae18b40676

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D9.tmp

Filesize
1KB

MD5
f576deeb016287108b548dc637fa843d

SHA1
9c24612a0185e51670ed19b7d26a11f71d71b2b1

SHA256
4ccfee19c9503cfafa7a65d941cf1d0267bd3c7d8731ada9159eea90f0a0b10b

SHA512
0780f051db1e8f79f4ea96521526da07689d8a7f1d60b99ddb21e8fbf1bda904952d60bd5ad60e4c44f4fabf0fcbac17bc110476d72dcddd19e7f1d3a590dc7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdkimebk.dll

Filesize
3KB

MD5
67f8c97b640a5e91f7fc3f2bc2ccf371

SHA1
872f749f7caba52ebb36998c07c74f8608726d44

SHA256
fc5c938f355bbf618ae7b010061b23823ada9c93d891da71e63f391623563766

SHA512
b9ac8ae3a44d486a91966df660ec03c1b84827d3455b58132521c720b57b754f5fb5a98a4b508fee80a28a2b503894fe37c24223b7e7b8a8d417b8e0c126e232

Download Submit
C:\Users\Admin\AppData\Local\Temp\qdkimebk.pdb

Filesize
7KB

MD5
deef470781bf5e55abcb73b231ed735e

SHA1
1e4a33b3e7915268feaabf43871360ae36748a45

SHA256
4efb66d48e0780535c1566dad8493668e04075c877ae5a7f3b82a53a3f09928f

SHA512
d66154fd937d06b456faca6e63974fb0bef51abe04eb7a2d8c949d21e8d6991a94c86b1d596a423ff7de18a2eb7ebb2b676bbeca21d1f47e6a1028935cb178f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxkyyns.dll

Filesize
3KB

MD5
93a989b0276f6bd017c74dc1f0c35786

SHA1
a1b643216b77cae8e0aa66de94b125cfe2947d92

SHA256
4999ca05ce4b138a86aab5cae5500e9e5292851f6918dd237d63c4256d87a9f0

SHA512
81525914aeb12ca174be0c2d9e0139a6ef0d3d1cf3a62974168d482993acb07e4882acc7b76781c0032414bd15fb7994b6003cc89a9b4042269a29209f48432c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wvxkyyns.pdb

Filesize
7KB

MD5
08d0f4128d57b16c8f88d2ba91e97938

SHA1
3e486731830e9f288aa3c4adc1295884d75b825f

SHA256
e6fd51a72fdbccac922266fd529f95f66209964ac9211b61396391e6078d8816

SHA512
a28a53d6555f92e98948dc4bcb4472e3968a936e0973f0097e0ffa2cb3288154c34e5a59b53ddc0ea22798c7d5c8d7cefef361a61d79542e8fe9e33265828605

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3A34.tmp

Filesize
652B

MD5
29e06ca64922f8ff6c633a75603c7fbf

SHA1
b3807c0d6689803c97ec6be964e627c0224f109e

SHA256
05d36faab408648ff223c117bdc809043d745f339e3db481ea97ecea55776cd3

SHA512
2d48628b0e016a84283ade269eb0b60df9a53c39279c902c44c4de09508627d544b63d2c9ded224cd2f94757764bef27d496fcd14814be5e595d8311872d3bd4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8C8.tmp

Filesize
652B

MD5
952a1ea640b9ad837c94708ada7c1da5

SHA1
d1debecaf9f7d4299163f2e87875abb8841916a2

SHA256
df3b1ee1c878919a6f829ff774714a091592d402e7050b2445cc861da621cc5f

SHA512
4cf39b27fab7c7850ff06cbc793fc0fd96c97a1845cd0c76cb17746c2125aa6956047df1a6f9fea0d17f6373b93c9422091b9c898dc474bf66abc58465f07fb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qdkimebk.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qdkimebk.cmdline

Filesize
309B

MD5
6aeba6aa4ae3d95b814dd6c5dea0a40a

SHA1
1827d8fe9c46e05710ecb59615340e29137de03a

SHA256
25d0fbda6dfab9ca3e9e7cb32ac0abd0fd9f9f914a4e7f0ff6b0c2e362b3f99a

SHA512
168b3ec9a2e161a70ca3b364a83327dbc9f74639c25a6a4a46c81adf859b35347df57b055534def7023508a8230eea3eff0289e53e4bd9f11927632be9b45c3b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wvxkyyns.0.cs

Filesize
591B

MD5
9b5ca5987d03f2fda2d89b3225bb527b

SHA1
2fca70ccb8428eda41cb29785458155942e24da3

SHA256
e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

SHA512
8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wvxkyyns.cmdline

Filesize
309B

MD5
adac89d6355c48118f9652c4396b7f2c

SHA1
7227717e7b84a310ecd71e3349856cb0d29fcb7f

SHA256
2c9a9b3cce90297a9920b3ea5ecd8138d40577afb80932029aa61ea22d834eff

SHA512
dcb427442e431fe93fb7d3c0c0fac7cc625740ce717e95fa8064cd91754e9731200693eaff087ad4e14581aeeaf9acc574bc66435f9feba40218ff6813209ab1

Download Submit
memory/1760-110-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1760-111-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1760-112-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1760-93-0x0000000002010000-0x0000000002018000-memory.dmp

Filesize
32KB

Download
memory/1760-107-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/1760-126-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download
memory/1760-92-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/1760-129-0x000000001B9D0000-0x000000001BAE6000-memory.dmp

Filesize
1.1MB

Download
memory/1760-135-0x000000001BB70000-0x000000001BC85000-memory.dmp

Filesize
1.1MB

Download
memory/1760-136-0x0000000077B40000-0x0000000077B41000-memory.dmp

Filesize
4KB

Download
memory/1760-137-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download
memory/1760-138-0x0000000002890000-0x0000000002910000-memory.dmp

Filesize
512KB

Download