bumblebee | 07f394e3db99be6f61c72753ed941e38b485fe436ddc02358dfa34c39ac9e0c5

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2023 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

comics.ps1
Size

2.2MB
MD5

2809cc87a38fd5233134c7428b380f2d
SHA1

47f1282a61b8090c7b335059fd6408c573b061ca
SHA256

b75bb6ee05805acc5898ed2ce9f8313d20672acb1908693b1b368e71c169c447
SHA512

bc0afcd7ef86ca2cd40e7a489b8a523666412b6c43ea60b6615a2aa37fed49dc741d33af3b961dd76e2ca90f5d437838dd4b5cfb28500288d83433746083bc0e
SSDEEP

24576:wOctC+MG8fRwhhUSmA/xBCXaEGNFpz4vGE9TUUrKApoxELBczlB:KtCd9RwRa8rsvGyXoz

Score

10^/10

bumblebee 0603cc trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

0603cc

51.68.144.43:443

185.173.34.35:443

103.175.16.13:443

192.111.146.184:443

86.106.131.105:443

103.175.16.104:443

23.254.167.63:443

146.19.173.86:443

91.206.178.234:443

23.82.140.155:443

173.234.155.246:443

23.254.225.130:443

172.86.120.111:443

160.20.147.242:443

185.17.40.138:443

157.254.194.117:443

194.135.33.184:443

195.20.17.75:443

51.83.248.92:443

192.111.146.178:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 7 IoCs

flow	pid	Process
27	4592	powershell.exe
35	4592	powershell.exe
62	4592	powershell.exe
64	4592	powershell.exe
66	4592	powershell.exe
67	4592	powershell.exe
69	4592	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4592	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4592	powershell.exe
4592	powershell.exe
4592	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4592	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 5024	4592	powershell.exe	87
PID 4592 wrote to memory of 5024	4592	powershell.exe	87
PID 5024 wrote to memory of 2384	5024	csc.exe	88
PID 5024 wrote to memory of 2384	5024	csc.exe	88
PID 4592 wrote to memory of 1320	4592	powershell.exe	89
PID 4592 wrote to memory of 1320	4592	powershell.exe	89
PID 1320 wrote to memory of 2832	1320	csc.exe	90
PID 1320 wrote to memory of 2832	1320	csc.exe	90

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\comics.ps1
1⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aoke151g\aoke151g.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5024
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES76AC.tmp" "c:\Users\Admin\AppData\Local\Temp\aoke151g\CSC8B5567035E44C5BB7C621E231C22838.TMP"
    3⤵
    PID:2384
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wnibr503\wnibr503.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8458.tmp" "c:\Users\Admin\AppData\Local\Temp\wnibr503\CSC65713A4291114679A99E6A7D6EC1647D.TMP"
    3⤵
    PID:2832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES76AC.tmp

Filesize
1KB

MD5
5e441083b29172eef87b4a0e6a748e81

SHA1
88bb0081e4afc00fa2cf822cb843ecf3cb35f408

SHA256
467b078f396385b2d5848520c3ff481ec882350525f3a1df592f452f64f61ad9

SHA512
66a24fe469c2e2f99f8d75c358d537a96486736a1bccb763519787b5ccf9f5f03526429698a7489cb620140e4753fb9abc0419d82d4b880dcdd4c276e7006abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8458.tmp

Filesize
1KB

MD5
84400afdb9ec3f12897b3f8a9848182f

SHA1
961e9ead7f4d13f412ea687cd0de3666b7a0c484

SHA256
3b8f39e602d13dadf4c634f84d2e4d129e499ef38ac29a887b0cd84ed92f1ba7

SHA512
86610013cb785984fb2e91e9c359c917412b255f3ecb41ec5204cb9d20a28cfe89a4720f3119252adffa353e010bac6a99faa1f8af5edfa9145cbd10d38a56e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_up5xkv5y.d0q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoke151g\aoke151g.dll

Filesize
3KB

MD5
2b37f77ff58ef3ad989d6aecf6079382

SHA1
f93dc94ad14b3bad23d818e9faae90af40d47a57

SHA256
021400d74440a559c86ec3d2af3f89c94c1f85ff43543fa26442aa79fea0673d

SHA512
3f6c1e5503b12cc908ca9ef8c07cf8605f71a545d4a9dcedff6591bf631810d65750bdf744436dc95eaf8e21518b414a2ce6ec44d0c2790a236defdff3921651

Download Submit
C:\Users\Admin\AppData\Local\Temp\wnibr503\wnibr503.dll

Filesize
3KB

MD5
6b3acf33795bb92a528c3e8a84764c44

SHA1
0901eafed7bfc174faf0121ed7022a814dcb43cd

SHA256
b7ad507bca9fd052467f7f010d11a195465b9d619ec251df7f5cfd09c74cb114

SHA512
edcba6f771abcfbfdecd38edc7858ba48b7379c473f29f41bbe2cd9a84660fbdd0f120ea4fc52400ed0ef74c5706c906dd63402505c6006129b18642e6a18195

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aoke151g\CSC8B5567035E44C5BB7C621E231C22838.TMP

Filesize
652B

MD5
87cbd4c1b1ed6b868589910eea9472f6

SHA1
a2e4f5d4466714d690aa64382a85c44ec74e54ed

SHA256
22da6358de6dc39778980b0aa2ba5e79e9b6b41ac1c41721bc8f82d0f03e558c

SHA512
20dfd018407575a6f00575a4ad81b68883e7f8eed48d9d9d0f78509b165c518298f95c6b1ec56b4d89e456d393788dd014032c6063e330b5ea09f384226b6d1b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aoke151g\aoke151g.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aoke151g\aoke151g.cmdline

Filesize
369B

MD5
32e433dc7a95379e5e64f8d24c065718

SHA1
db87460bdeb1c3cd41923a0d6224c7bb91e2145c

SHA256
fb3b74a70f8645ea2295de3729d85ecc4434538b30faf93131b0ab20712e2436

SHA512
c9a74a69f04996ea205f4381e42dbec56050b8f571c52e78dc5db91093d25039a992ad0e9ddcabd51a572f9980c1e7396d868a40b724684d943a71113cc590e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnibr503\CSC65713A4291114679A99E6A7D6EC1647D.TMP

Filesize
652B

MD5
fcb0055291170023b0c512809627f33a

SHA1
a032eb72849c2c5f5f6f8ee9f6186b2f4627b237

SHA256
90504ffee14dfe92031f6c7a826e9373de59586ae700e9c7093640aa1dc535f8

SHA512
273f1faec558689de30f6851b2cd033112d03c78a9349371ee05d1412be8f5f45f3ace81e747dea00d220588f9e8c791a3e66019313496ec9ef094849a4a017e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnibr503\wnibr503.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wnibr503\wnibr503.cmdline

Filesize
369B

MD5
2c3e995b8dc700a7b30ec87b1e884f11

SHA1
8dba09bac27293ee1dccef67dd78a6b761b04052

SHA256
8d3fa06b0e06817cb7bb398e0d269e4568045408f68bb49b90a4c8e3b64bde92

SHA512
4704eb7d21d844395e0706ea4fb63b7221f6328f808bdb57b49a1630f9e8608ce1b78a808fa5038419a21d8b2470baf5c923a5853d4036cc493ffb2e88a7fcb7

Download Submit
memory/4592-179-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-144-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-142-0x0000022CC2BE0000-0x0000022CC2C02000-memory.dmp

Filesize
136KB

Download
memory/4592-143-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-172-0x0000022CC3800000-0x0000022CC3974000-memory.dmp

Filesize
1.5MB

Download
memory/4592-178-0x0000022CC39D0000-0x0000022CC3B44000-memory.dmp

Filesize
1.5MB

Download
memory/4592-158-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-180-0x00007FFCB62B0000-0x00007FFCB62B1000-memory.dmp

Filesize
4KB

Download
memory/4592-181-0x0000022CC39D0000-0x0000022CC3B44000-memory.dmp

Filesize
1.5MB

Download
memory/4592-182-0x0000022CC39D0000-0x0000022CC3B44000-memory.dmp

Filesize
1.5MB

Download
memory/4592-184-0x0000022CC39D0000-0x0000022CC3A8E000-memory.dmp

Filesize
760KB

Download
memory/4592-186-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-187-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-188-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download
memory/4592-189-0x0000022CC2C40000-0x0000022CC2C50000-memory.dmp

Filesize
64KB

Download