Overview

overview

10

Static

static

1

Quote.lnk

windows7-x64

10

Quote.lnk

windows10-2004-x64

10

quotefile.ps1

windows7-x64

10

quotefile.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    28s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    06-03-2023 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quotefile.ps1

  • Size

    1.9MB

  • MD5

    739eaf406607fa3efddb9c6c97cdba76

  • SHA1

    bdb0575775a3447391b9d719e6d69c0e44549fd2

  • SHA256

    d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20

  • SHA512

    80ccebc7f4ff3597031899973817acdb4c1638788aa37b536fcafb6cd03b2f6113d40527b2e7a7f49d4794f021c815f8dc85ac4fd372d40cde59da6db2769384

  • SSDEEP

    24576:AzrIw+80AssR3D6UN6hzwbSVsi5MW94d5upIAMoIKAdqQb16:AwwahXsvWK1dj6

Score
10/10
bumblebee1508evasiontrojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

C2

172.93.201.138:443

116.142.140.251:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\quotefile.ps1
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zjrwm0lq.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:328
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5FB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5EB.tmp"
        3⤵
          PID:1484
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gf3fkw4q.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3748.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3747.tmp"
          3⤵
            PID:1088

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\RES3748.tmp
        Filesize

        1KB

        MD5

        2f0c9304dbac0ec8e69acd079e1190f2

        SHA1

        ede09a70c2a3242b858a8c94725c12859964d285

        SHA256

        59423ed69a796d2f4234d3b7ba1d25eddabc024862f618e379c76e530724edf9

        SHA512

        6f6bca9e42e87e03ca13d45228b867069316b5118ccabc2928446361c76a0a5aeb99cdf50b2e0e8c0d9553daf619aae0220904408a22a7b7dfd0ac415d15fe5b

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES5FB.tmp
        Filesize

        1KB

        MD5

        f55e10562d451f82e1269b5e8c9924ca

        SHA1

        8944de63794e632dccaa755b8480bcfdd20d7084

        SHA256

        457dc308726c125041ee798a02cea1b6890453ae03b110bce974d68130258b53

        SHA512

        5273b02417120f3a03b6d17a547c761b09361ab5964a4fcf08a5bd0171d6af7cb61a1f3e83cd88ee741123b40a83300c48ee1dd407fa938e60bbd9cefadeb383

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gf3fkw4q.dll
        Filesize

        3KB

        MD5

        3241670b63b28aed8dd3a0b466ee8347

        SHA1

        ccb0c5473c05baccfc799d5889200357a7c3bb58

        SHA256

        5eec6d311f7b80d56006b13d13a500483d8efe1b5a70e1deed7a37d009257ca8

        SHA512

        ff6e09e762a26e559883625e0e6a7d6014ffbb3edaaac59ab7c51daa7710bc2859cd841867857b75a1befdb808991504dd3e2b2bf12bfacb0b98376ca6582ad1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\gf3fkw4q.pdb
        Filesize

        7KB

        MD5

        ddace16a421c8d17b476cd9aab047e88

        SHA1

        2b492efbc360d432fef6021e9f9a8b92532e0431

        SHA256

        5427008f91ae90a9188207160343bf30c5b32907f5499296b24cf254e10b19b5

        SHA512

        6294b09ebe2afeb7c0c2f66766787c25013151e81e2c10c1451aafba7ade72e6ceca31ae174b8d027ec278c045658b5e2b3aa4b73dedd8c0069e509a615e61a7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zjrwm0lq.dll
        Filesize

        3KB

        MD5

        569530cc59f09799ff61acd285e7714b

        SHA1

        c80a98b365a571eb8c0d9f4eeb82d0d6acd09979

        SHA256

        7cbfb0464dd5f025b416079e19257b5c5e8b6c86a42f4dd5532e75f5a0d47a3c

        SHA512

        03ee6bbf5eb0d343e73f06186aeb94958173d0da0135682e89b027cd7333617b21c9964ebdae7f6801f667cef1312401cfa8ca3eafbc4434879678fc1b791b25

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\zjrwm0lq.pdb
        Filesize

        7KB

        MD5

        0ec531b80700e16b47f5e2443613e672

        SHA1

        a6d7cc2415229b99477a7589a9bd40bff1db38cc

        SHA256

        9374fed3f27b701e276cccf5b339963d2f0421efccbf10a0b48f4de3a9c364cc

        SHA512

        207b0d9fcc99f20098461e4eb409e6d63c0729577966d5820a23c43c835cf90e55d0f37fdf740c324ea6097266aa4e421f424ec06a808df1bf10055a8e05a532

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC3747.tmp
        Filesize

        652B

        MD5

        5f464a9d70f2265a0fe9736896901f0a

        SHA1

        865ebafb0adad529cd9b6b415bf20c668ab13f34

        SHA256

        e15b7b7fc77bf4d6afeb0af2e151186f4f319bb8139df57cbe8dd34fe718549d

        SHA512

        b275033f9a634cacc03255aac0b1e3adf1efed1b094bbdf3037d74e553059df3d23eae81d4415a2cc70f1815aca0c0c24c4fdb88311706bc742072574ddd4779

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\CSC5EB.tmp
        Filesize

        652B

        MD5

        0b0f64ed01319e6a65deab13520bf94e

        SHA1

        44c1307db40276c193cc63e493209f623896124a

        SHA256

        0da775d0236bfa7e17830205bb527bb5549b8a9a88287d1a4d0139eb336e83f3

        SHA512

        d2570b06e8922c1dc14632a58ea42ce7b5e2ae54b825a8b849568bc48e99fed083f66d693b1f4faad37966e68b8c6cf7354679c2c952bdd94316e06543f43ba6

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\gf3fkw4q.0.cs
        Filesize

        591B

        MD5

        9b5ca5987d03f2fda2d89b3225bb527b

        SHA1

        2fca70ccb8428eda41cb29785458155942e24da3

        SHA256

        e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

        SHA512

        8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\gf3fkw4q.cmdline
        Filesize

        309B

        MD5

        a2ed1b2114a006cc6b84c96603f2d3f4

        SHA1

        77fb6bb7def1baac8c437185469ffdbc95ac76c6

        SHA256

        f612e0328a9a436807a444f353620dfa171805ebbe256b47e551b5c22ea78ebb

        SHA512

        858ff284b6f384011a8d59253763141f43e1d3ab637ed85edfc063e28045abe6b3939ea2839d765a4e3c097f4eb04d4c2e4694883ad382cde1317a536709d757

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zjrwm0lq.0.cs
        Filesize

        203B

        MD5

        b611be9282deb44eed731f72bcbb2b82

        SHA1

        cc1d606d853bbabd5fef87255356a0d54381c289

        SHA256

        ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

        SHA512

        63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\zjrwm0lq.cmdline
        Filesize

        309B

        MD5

        ced50d69153c2470a642838ac902974a

        SHA1

        dd09995d130a05de71b7ffce98796828b7426986

        SHA256

        6ac2d15cc5b6b0209bc9286701052015026c46b50106eb7383d5871dee8024ed

        SHA512

        50479bcdda56eeb0b39bdc243364075339b03afa86ba876937df5146cce9aa86f3824bb1f1d9e0f21b0381e6f7d2a51d2cf1351f242538f35aef758ea4e08791

        Download Submit

      • memory/1760-58-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

        Filesize

        2.9MB

        Download

      • memory/1760-78-0x00000000024A0000-0x0000000002520000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1760-77-0x00000000024A0000-0x0000000002520000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1760-59-0x00000000022E0000-0x00000000022E8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1760-73-0x0000000002720000-0x0000000002728000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1760-92-0x0000000002730000-0x0000000002738000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1760-76-0x00000000024A0000-0x0000000002520000-memory.dmp

        Filesize

        512KB

        Download

      • memory/1760-95-0x000000001BAC0000-0x000000001BBD6000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1760-101-0x000000001C6A0000-0x000000001C7B5000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/1760-102-0x0000000077490000-0x0000000077491000-memory.dmp

        Filesize

        4KB

        Download