Overview

overview

10

Static

static

1

Quote.lnk

windows7-x64

10

Quote.lnk

windows10-2004-x64

10

quotefile.ps1

windows7-x64

10

quotefile.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-03-2023 05:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    quotefile.ps1

  • Size

    1.9MB

  • MD5

    739eaf406607fa3efddb9c6c97cdba76

  • SHA1

    bdb0575775a3447391b9d719e6d69c0e44549fd2

  • SHA256

    d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20

  • SHA512

    80ccebc7f4ff3597031899973817acdb4c1638788aa37b536fcafb6cd03b2f6113d40527b2e7a7f49d4794f021c815f8dc85ac4fd372d40cde59da6db2769384

  • SSDEEP

    24576:AzrIw+80AssR3D6UN6hzwbSVsi5MW94d5upIAMoIKAdqQb16:AwwahXsvWK1dj6

Score
10/10
bumblebee1508evasiontrojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

C2

172.93.201.138:443

116.142.140.251:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 7 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\quotefile.ps1
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Blocklisted process makes network request
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Suspicious use of NtCreateThreadExHideFromDebugger
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yccpyfx0\yccpyfx0.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES86A9.tmp" "c:\Users\Admin\AppData\Local\Temp\yccpyfx0\CSCB71E333A4AD74C9EA2CCBC21A438B34.TMP"
        3⤵
          PID:408
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3zwqoftw\3zwqoftw.cmdline"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3664
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD6B.tmp" "c:\Users\Admin\AppData\Local\Temp\3zwqoftw\CSC179C15A8DDF343559166677868BCFC7.TMP"
          3⤵
            PID:3952

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\3zwqoftw\3zwqoftw.dll
        Filesize

        3KB

        MD5

        9c81c313fadd8c7a2063f70df53f60a6

        SHA1

        9614441634d7275f0fcceb4dd312aa244a804dff

        SHA256

        61b8698967025619b96c7fc7599772ef37bf8d2c22d6450ea22cad6d46c60eab

        SHA512

        a9e114772ff71236aa0e5f0e7a2765239983c6fb9de5992e6645cd8b0b73469f2619955c95fc8c6efde8e2db377c9d5ca285de491ee4e83c4764b5f9d8fa259c

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RES86A9.tmp
        Filesize

        1KB

        MD5

        8292a1b111ab2f1435a30f62557aa481

        SHA1

        80ba25c46a4ca008a837e033119e4f0dc8b2fe0d

        SHA256

        f2c50d8339e7b4b6382887b4012415c5fadd019c9958bcfd7e89bf3210064ced

        SHA512

        52f6f1bdd3016f1bb263eccd30c493cd9904805c33c045b0bb100607a611959e30204780f939f940521c4b0e7b288fb40b988c3beb4c8e6f8426813efa1a9538

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\RESAD6B.tmp
        Filesize

        1KB

        MD5

        8e1a947a2e97577ea9b614089ad54cc9

        SHA1

        248ca7c4ad4ecdccdb1c578569db2f277b66a74a

        SHA256

        c8aeb4fae33154f724d9364a9fcd7574d6ef808eb70d01342f28b25e9c1e4932

        SHA512

        a5b6ba2add16f5d682fa6968134ffa014edecfec7b18c678468772ed0fbc4325ee114a707b2785307ce97e424b993996b8b46cdb532876fa9d0b813f6350c6c2

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mqw1lmmt.cvu.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\yccpyfx0\yccpyfx0.dll
        Filesize

        3KB

        MD5

        adfe1a63b02d4a6a254166d73b6d6ebb

        SHA1

        324d9bd804f4e29662ef145fe55e177bd842020f

        SHA256

        8ed5f2c4db419011653da9cc3f72f0f3a4f7c0d46dcd85cc594dff6f56694d04

        SHA512

        ddb1cfac2fa5ebec43c7e8ffa9624db39c7e1606c1c8dad175a2e0b15efcb03591c9615441d060145376702c3a4fb6c38bfb465b4ddd5e2042a31ddc13bc82b2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\3zwqoftw\3zwqoftw.0.cs
        Filesize

        591B

        MD5

        9b5ca5987d03f2fda2d89b3225bb527b

        SHA1

        2fca70ccb8428eda41cb29785458155942e24da3

        SHA256

        e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

        SHA512

        8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\3zwqoftw\3zwqoftw.cmdline
        Filesize

        369B

        MD5

        714f940388a38500c2e6a60ade20e60f

        SHA1

        ca596cfdf37d7422e50f8304a5886af3694b8dcc

        SHA256

        9109e241ae952851b226836b57af0f414c705b58466495601df80803ba84ca3e

        SHA512

        3add48abd49a63a9985b1a56a50d921becdc3356d4e376a0a3cb719a1cf04865fcd662da7c964c5f7dc01500391494a6eb04252efd9d9fd027f756311e01f9d8

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\3zwqoftw\CSC179C15A8DDF343559166677868BCFC7.TMP
        Filesize

        652B

        MD5

        cfef5c659ad26ce8ae0402577195902f

        SHA1

        6aab0017c6a69b47f1adbbed809970ec36f75d4f

        SHA256

        a00e1782e828b23a719f9a6fe8d8dccce1d60daa8232f29a0d62084b5fa691f5

        SHA512

        90e1518807cca9d6da9f3b217cdbba6bf6227d6f3f94a71313abd29fd7866795c8cc369c601c1c7f6a8c351f7c5d2ba2a5cf32c4a7e4cceb618cea81dee7b98a

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\yccpyfx0\CSCB71E333A4AD74C9EA2CCBC21A438B34.TMP
        Filesize

        652B

        MD5

        80d3624f5be1889b58bfe4ffc5093bd0

        SHA1

        c13cdf5aecdcbfb43008458e82d0eda3bf9e765c

        SHA256

        dbfd0dcd979a52065581e5d333ca97596de5dad9605d8dffb4a7aaa92c7a70e4

        SHA512

        5baa36be72d87dbd7226aeacb9ed38f6a9755fdd4751b5d8da5e529d2efce26c0e53edf452e88e3b233751de75098f33826d64b9db20bb1b4c9b8b2a87d94fd2

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\yccpyfx0\yccpyfx0.0.cs
        Filesize

        203B

        MD5

        b611be9282deb44eed731f72bcbb2b82

        SHA1

        cc1d606d853bbabd5fef87255356a0d54381c289

        SHA256

        ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

        SHA512

        63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

        Download Submit

      • \??\c:\Users\Admin\AppData\Local\Temp\yccpyfx0\yccpyfx0.cmdline
        Filesize

        369B

        MD5

        6d7c7bd5836e932d62efcb87aff20805

        SHA1

        2d119001de7460d0eaa10bfdebf793fe89f5335d

        SHA256

        2b0014b269a8e5b987a8ed6ee47f163adca1e61fa6e66baec42af1f66c1bdb73

        SHA512

        24f1e0683cc780042b84b919a42c09815d80bede1d90aabe10a90d8d74b9454915e20a337857b6a0678c5b9c5e7a9f97a563e16bdd7a65603a622289a9d2bb29

        Download Submit

      • memory/2472-180-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-182-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-159-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-144-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-143-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-133-0x0000027EC19D0000-0x0000027EC19F2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2472-174-0x0000027ED1ED0000-0x0000027ED1FE6000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-158-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-181-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-160-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-183-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-184-0x00007FFD3D870000-0x00007FFD3D871000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2472-188-0x0000027EA68D0000-0x0000027EA68E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2472-192-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-200-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-208-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-210-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2472-234-0x0000027ED1FF0000-0x0000027ED2105000-memory.dmp

        Filesize

        1.1MB

        Download