bumblebee | 07f394e3db99be6f61c72753ed941e38b485fe436ddc02358dfa34c39ac9e0c5

Analysis

max time kernel
141s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-03-2023 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

titles.lnk
Size

1KB
MD5

cd40170ef364117a2ee437c47ec6b564
SHA1

48346fe1585ead2a8ab4f5fdccd264c5f9cd502a
SHA256

24bb33a3a191cb0fba721820a31a8560abd7b3d0fafabe5f85a700e47772b571
SHA512

a901f85abbb2be9d8f2165de0aceb502c8c95797c987ad0fea4a9781eaf509d2e1e4ccd5b1c51eb4b16d86a78fcb25c52d20b91623c0511c89c4eb585f6b209f

Score

10^/10

bumblebee 0603cc trojan

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

0603cc

51.68.144.43:443

185.173.34.35:443

103.175.16.13:443

192.111.146.184:443

86.106.131.105:443

103.175.16.104:443

23.254.167.63:443

146.19.173.86:443

91.206.178.234:443

23.82.140.155:443

173.234.155.246:443

23.254.225.130:443

172.86.120.111:443

160.20.147.242:443

185.17.40.138:443

157.254.194.117:443

194.135.33.184:443

195.20.17.75:443

51.83.248.92:443

192.111.146.178:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 6 IoCs

flow	pid	Process
23	4752	powershell.exe
42	4752	powershell.exe
63	4752	powershell.exe
68	4752	powershell.exe
69	4752	powershell.exe
71	4752	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4752	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4752	powershell.exe
4752	powershell.exe
4752	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4752	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 4752	2172	cmd.exe	86
PID 2172 wrote to memory of 4752	2172	cmd.exe	86
PID 4752 wrote to memory of 2676	4752	powershell.exe	87
PID 4752 wrote to memory of 2676	4752	powershell.exe	87
PID 2676 wrote to memory of 1900	2676	csc.exe	88
PID 2676 wrote to memory of 1900	2676	csc.exe	88
PID 4752 wrote to memory of 4208	4752	powershell.exe	89
PID 4752 wrote to memory of 4208	4752	powershell.exe	89
PID 4208 wrote to memory of 2132	4208	csc.exe	90
PID 4208 wrote to memory of 2132	4208	csc.exe	90

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\titles.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file comics.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yb1vny1c\yb1vny1c.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84D5.tmp" "c:\Users\Admin\AppData\Local\Temp\yb1vny1c\CSCE75078B395844C199AA484EF9954474.TMP"
      4⤵
      PID:1900
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pfagxeb1\pfagxeb1.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9261.tmp" "c:\Users\Admin\AppData\Local\Temp\pfagxeb1\CSC9C103D14F6B842EE9DE03D8F8388756.TMP"
      4⤵
      PID:2132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES84D5.tmp

Filesize
1KB

MD5
81635aa33de6f3fafc6c7f56409e99fc

SHA1
7276ed555ba4e9f4f70682cc410676babdd80bcc

SHA256
02179358aabc55618e59ad89e4053f06134513083977296320af70ab219483f3

SHA512
b5208bffc5b1929a0a1e4b56feb9d7bc8c8a21ec11f909521c8bec2bcbd67c5ceb85a8c67586b7b8dd067867a5c014a3f8d937b300f704fba5d1b893bdceff0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9261.tmp

Filesize
1KB

MD5
94cca39417050e2ae39d156a1edd2810

SHA1
eabf7aa726a0cc4a2bae725b3f10f526e5aca482

SHA256
6a1014ba991555bd59863c1a58af538a8178a32052f99b3b556177ee5114b777

SHA512
ec84f40b119b9413c6532722810052fc6fd72819a989e2db4be3a2c8f88d2c0696f938ade224933f9d86d8c8415bfb80cc5552b3dcd8e6efde3f8db1674a16b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lepdiqqu.5du.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfagxeb1\pfagxeb1.dll

Filesize
3KB

MD5
35104dfa43ffb60ca1d7b1c49e4a9209

SHA1
32bae1ee74423ecbc399eb815a54f2d1c2128418

SHA256
61911de67e32c0d62336b341925c8785c0535c5fc9acad1258bb0bf58d9cc443

SHA512
777e867690f593a0fa9faaa118051b63e1298ccf46a7dde48b912960890549c1aab5455dc4c2e127ec896b482e66fa74d1aed298dd608ce71354f69b3c55363f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yb1vny1c\yb1vny1c.dll

Filesize
3KB

MD5
b98d0471f411af97f561d57158f4de41

SHA1
f3de3c19b416763138c77f9c3f3f7d1e3f54203c

SHA256
9b85832e496369bd068ecfa7e18631fc3e0f96001924c5af21b56e72226ab8d2

SHA512
bef191f5a0d1fc150ea110ef7fce1d1a67b62ac8ac35e9af996fe96d325f27b42029823d4a67101bf6fac180e6a7eceede3aef351a7df1c33f08fe474b64ae02

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfagxeb1\CSC9C103D14F6B842EE9DE03D8F8388756.TMP

Filesize
652B

MD5
d4f4f45957bc3e3b1f9448f7b1091de9

SHA1
0395ec6d833c1acea6021daf864cf93f3f24cd9f

SHA256
49e0acc120e1b65e572ce13491e5d9ffd03c934b7a799a04fc531e0aad959fc8

SHA512
02f241f767dc374c88012ee708ffa4ddbdf2ac27c7ad2037f139ea5aeb34c0309289b86050af1c492304a18d118c9e876f1acc7ff045f198782977af221f024d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfagxeb1\pfagxeb1.0.cs

Filesize
582B

MD5
2bb8d0ee93aeae61a09adf4db6f29c1c

SHA1
8da3034bb8f84ea2522e276b492b2797b5db30ca

SHA256
68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

SHA512
b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pfagxeb1\pfagxeb1.cmdline

Filesize
369B

MD5
771fa1b00bbd13027c4c1b84e885e532

SHA1
c03592161a2aef68694bf48ea727a51dfe1ea333

SHA256
e0dd154ae93d398adbc01e55508b4d2ff16412aaeee14e399f16f0e7f9e77d1f

SHA512
0c8f85e84bda65c5d708d1e00e9c775d0cec199d51feb3085e97f091fe4aee7eb612857854cc064f55e0f80e02f6e8cbc542cd8bbb5f8e5569767a1fb41943ed

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yb1vny1c\CSCE75078B395844C199AA484EF9954474.TMP

Filesize
652B

MD5
ed22653e151764fc67810781fe7f7830

SHA1
d9cd519227d5fa2459edda334457b62666326c80

SHA256
60bb9978fea2770ceceee2f3b2831827056046a5bc3e969d0d746613d05f67a6

SHA512
ee85992793dc6290aaafa23a72ddd256bd17bb99148c5fbdac2d5b5aa53cad85de1fccb3781a0d761c9ca1cf6d6e852bb776aa9ef8a716f6b6a0d74e7224f4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yb1vny1c\yb1vny1c.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yb1vny1c\yb1vny1c.cmdline

Filesize
369B

MD5
2f308cc310886b047f11e0aecebe2906

SHA1
c3656bc08e0968fb0f4d576a99a9ade4767fcc37

SHA256
0d526c7fd20bbcc20eaaddf63cc7802535268fa83b0a447681b065dc4445c772

SHA512
2853fe2d89c352e116f5cd7d416068e90e89afcddc822e7ee2bc3af7f85c9caf94dc4244644582807a3c97d09b0286e16db4ec811afe42b39d61f57cb7a7592c

Download Submit
memory/4752-182-0x00007FFADAB70000-0x00007FFADAB71000-memory.dmp

Filesize
4KB

Download
memory/4752-183-0x0000026637F60000-0x00000266380D4000-memory.dmp

Filesize
1.5MB

Download
memory/4752-148-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-144-0x0000026637140000-0x0000026637162000-memory.dmp

Filesize
136KB

Download
memory/4752-174-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-175-0x0000026637DE0000-0x0000026637F54000-memory.dmp

Filesize
1.5MB

Download
memory/4752-149-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-151-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-181-0x0000026637F60000-0x00000266380D4000-memory.dmp

Filesize
1.5MB

Download
memory/4752-184-0x0000026637F60000-0x00000266380D4000-memory.dmp

Filesize
1.5MB

Download
memory/4752-186-0x0000026637F60000-0x000002663801E000-memory.dmp

Filesize
760KB

Download
memory/4752-188-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-189-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-190-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download
memory/4752-191-0x000002661D7F0000-0x000002661D800000-memory.dmp

Filesize
64KB

Download