bumblebee | 9086c173ad998545a39547935579ab6ee7a8db5e13d04643a8ca558fd67805dc

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2023 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote.lnk
Size

1KB
MD5

4166dc23c9ffb1fe465288801da97ca9
SHA1

0e7319378d7cb33f123cd804630c7644384e8931
SHA256

940182dd2eaf42327457d249f781274b07e7978b62dca0ae4077b438a8e13937
SHA512

60d65cd412938bb55cd268ac81ba05e90790a12755b1d2bcdc351339dac88339b6851e1272716cb3dc3652900226b098b2c3b9b137bcc820510b65f36cb03aff

Score

10^/10

bumblebee 1508 evasion trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

172.93.201.138:443

116.142.140.251:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Enumerates VirtualBox registry keys 2 TTPs 5 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo	powershell.exe

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	powershell.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__	powershell.exe

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions	powershell.exe

Blocklisted process makes network request 7 IoCs

flow	pid	Process
29	3008	powershell.exe
40	3008	powershell.exe
54	3008	powershell.exe
55	3008	powershell.exe
61	3008	powershell.exe
63	3008	powershell.exe
65	3008	powershell.exe

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	powershell.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	cmd.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Wine	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3008	powershell.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3008	2176	cmd.exe	89
PID 2176 wrote to memory of 3008	2176	cmd.exe	89
PID 3008 wrote to memory of 1332	3008	powershell.exe	90
PID 3008 wrote to memory of 1332	3008	powershell.exe	90
PID 1332 wrote to memory of 4944	1332	csc.exe	91
PID 1332 wrote to memory of 4944	1332	csc.exe	91
PID 3008 wrote to memory of 4080	3008	powershell.exe	97
PID 3008 wrote to memory of 4080	3008	powershell.exe	97
PID 4080 wrote to memory of 4120	4080	csc.exe	98
PID 4080 wrote to memory of 4120	4080	csc.exe	98

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Quote.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file quotefile.ps1
  2⤵
  - Enumerates VirtualBox registry keys
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Looks for VirtualBox Guest Additions in registry
  - Blocklisted process makes network request
  - Checks BIOS information in registry
  - Identifies Wine through registry keys
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bazufqlx\bazufqlx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBFF9.tmp" "c:\Users\Admin\AppData\Local\Temp\bazufqlx\CSC18F0EF6246784D95913221A4ACA00D0.TMP"
      4⤵
      PID:4944
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzvj5ho5\kzvj5ho5.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBDC.tmp" "c:\Users\Admin\AppData\Local\Temp\kzvj5ho5\CSC9C3C865E47B44BCD8184E72CDB18DCC.TMP"
      4⤵
      PID:4120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBFF9.tmp

Filesize
1KB

MD5
a14cfb23fe53aab95fabf7ba55dfbc39

SHA1
f68cb1e2c8a3b8a44c3747f8cd23a9d45c32d0c0

SHA256
87efc0d60dd878bed516c3ad07d9a957f7990225afe83ef9f1828dde59a3fcc1

SHA512
6e0295709fbe113a04c10ad7fc2810b9a1dbd566efe92b2bfb02400cc9902a5866807aeebbe5cefd8db85130f266da6ba717221e65ac7cf699758e34658d765f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEBDC.tmp

Filesize
1KB

MD5
a6451545a4a3f3b28b2953da205c4319

SHA1
009fa8daf0455cab373c7ef67e2aa446fae4ea61

SHA256
6329953bbd925a2b67b9bdbc8409e2041c6941f35db2f34dc32ae0a56f75f306

SHA512
bdf348df95393a776d65288ba784af188cd1bb5ce0151a98e9fed43c046175e652c3171d81940ddd08f874e73990c84028cc97031fd3ec1af6b1e76eef392814

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0dzunmte.f0o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bazufqlx\bazufqlx.dll

Filesize
3KB

MD5
edc20dea827a37c74f0cd2eb25df6ee0

SHA1
93ded7810d70c734216ba31ebc67104b7a66d997

SHA256
fa22e5626d45bb7ebb2d0d68ee31d281ad8b2288c5d7fadbdf11ba6af9412f9f

SHA512
9f917cc43183c5d9182465dca900319a5e8e9e698caa0727e60a154761d81917d92773dcff4c87ddb6c884aae9c371ef0a5dbb9a190c1697b566b440544b0bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzvj5ho5\kzvj5ho5.dll

Filesize
3KB

MD5
06e4d298287e4194013aab6e2ff69338

SHA1
cc662982cfb530fec052dd663e719068e5f1bb10

SHA256
6095b420eb442148d1c6d638405bdcd5e574db8b0cb10c274fffbbd443409f43

SHA512
4e8bf17c338d32aff463f5da53bdde0d8e81827fc8c29791704ac097d2bc89abc23fe415ff914526a55e7184ee1b7a97ec2bcd0ded5cc8762a629fc7961cc621

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bazufqlx\CSC18F0EF6246784D95913221A4ACA00D0.TMP

Filesize
652B

MD5
07f0d2f2637a8b287efdb760bdd5ac8a

SHA1
05375f1c53abb28d81b6a0a8d692d0ebee6310a3

SHA256
3f5698e6e494d26784c7cb5823631c474f51bd0275f5eba2878ab3fb27b10830

SHA512
f5562a097290c9e1478d2f690747f74b068f134e40018f3f15e25611b00fbe1789f32e420c329035d3149d7679ff89a619515254059d2df4059e4c6959b5a009

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bazufqlx\bazufqlx.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bazufqlx\bazufqlx.cmdline

Filesize
369B

MD5
779d7fa2d459c07d8a9e135eb2db091e

SHA1
bb86799654995e424591b0764ce631d79bc0553c

SHA256
c649b4e28ba3bee9c432401cc300774637af2b24797be90ff5d592ef92e0f9ed

SHA512
c1d3085d057ce6ffa1c68ed497716c53b274b353ffc5e07218d8436c20af0b7031f401b0f6e1a364d7dd7b4fb8e7f4f4b46f2bba40ad3ac6d7c88139455786c3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzvj5ho5\CSC9C3C865E47B44BCD8184E72CDB18DCC.TMP

Filesize
652B

MD5
a1e2f2ab5e146313fc18eb6339da633e

SHA1
bd36ec0f63ef3ae534f8da2678d7cf285f44f3fe

SHA256
19b021509c2842a51a4fd1ad77ce5b33060883ecde89c240657753e17ad7e2cb

SHA512
1650c98418474fc8690811f3fb0cd78405bdba9c949f3c97166fa51366313df9c65a3cac6f2c74ee93bb750b1ce2e11188760119133e122b055c69ae6cb5734b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzvj5ho5\kzvj5ho5.0.cs

Filesize
591B

MD5
9b5ca5987d03f2fda2d89b3225bb527b

SHA1
2fca70ccb8428eda41cb29785458155942e24da3

SHA256
e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

SHA512
8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzvj5ho5\kzvj5ho5.cmdline

Filesize
369B

MD5
7cc02a1ca94088ba421db5c39954e751

SHA1
d1aa89ec827a5e6616c6b4361cae7b9889241a50

SHA256
7343b7f3d55cf9d305d099f0d82f567346e869090ac7646040f3d7389c38049a

SHA512
56cea636266ec2ed89a428eabd795d593ed11202b3c11141b676aa0a8aa078d414cb1438fdba763384e34bc6147ccf978a4a1258eac447210e3b03bb28c04b5a

Download Submit
memory/3008-183-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-184-0x00007FFEE2430000-0x00007FFEE2431000-memory.dmp

Filesize
4KB

Download
memory/3008-161-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-146-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-145-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-142-0x0000014FCD890000-0x0000014FCD8B2000-memory.dmp

Filesize
136KB

Download
memory/3008-176-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-177-0x0000014FDDB90000-0x0000014FDDCA6000-memory.dmp

Filesize
1.1MB

Download
memory/3008-160-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-162-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-185-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-186-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-188-0x0000014FDDCB0000-0x0000014FDDD6E000-memory.dmp

Filesize
760KB

Download
memory/3008-190-0x0000014FB3E50000-0x0000014FB3E60000-memory.dmp

Filesize
64KB

Download
memory/3008-194-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-202-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-211-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-221-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-232-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-240-0x0000014FDDCB0000-0x0000014FDDDC5000-memory.dmp

Filesize
1.1MB

Download