bumblebee | 00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0

General

Target

Inv(05-19)Copy#17-42-47.js
Size

764KB
MD5

b0a6293b17d888d5bbb00a2eec43bedd
SHA1

72ab1b2ab9e390ea842730aa78ed1d26561fdca2
SHA256

00ec8f3900336c7aeb31fef4d111ee6e33f12ad451bc5119d3e50ad80b2212b0
SHA512

d8c8bf15ab301fa25461a96add2d94fb799220390a358cad31bbd8ad4df41d2ff4f6ccead5129d24b5592cfa3d9230a32394f89318bc53cfe540fc6b27557d51
SSDEEP

12288:qo3Npw3bC42p8hQbShsCO8j5o08jGd963H+Y5a5zn75H5ZC5aerQM+ZzFWX8lLG2:qo3nIApkQbSX5jS08qdkn5azn715ZC58

Score

10^/10

bumblebee mc1905 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

C2

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 11 IoCs

flow	pid	Process
4	1348	wscript.exe
6	1348	wscript.exe
8	1348	wscript.exe
10	1348	wscript.exe
11	340	rundll32.exe
17	340	rundll32.exe
20	340	rundll32.exe
23	340	rundll32.exe
24	340	rundll32.exe
27	340	rundll32.exe
30	340	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
340	rundll32.exe
1900	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
340	rundll32.exe
1900	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 340	1348	wscript.exe	29
PID 1348 wrote to memory of 340	1348	wscript.exe	29
PID 1348 wrote to memory of 340	1348	wscript.exe	29
PID 1348 wrote to memory of 1900	1348	wscript.exe	30
PID 1348 wrote to memory of 1900	1348	wscript.exe	30
PID 1348 wrote to memory of 1900	1348	wscript.exe	30

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Inv(05-19)Copy#17-42-47.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\990566.dat,eOXScagadNKe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:340
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\279531.dat,eOXScagadNKe
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3CF9.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\279531.dat

Filesize
1.2MB

MD5
0808f27a101bef2a258fa07bf3e00e19

SHA1
bc2a1c3b6eb916be35ac38fea80ec1187185e707

SHA256
34768877e73cb3fd875e43d03bea2bef681dea6356b6f1e4949f968685967df8

SHA512
426703cbef316b2d30362b628d972766161589ef7f7713e9e085c69ace79054c2a2c536f77967924f3c366b1d9022378cf9935cc6d6cbe2097738277b4edd70d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\990566.dat

Filesize
1.2MB

MD5
28348d4c5cf61fedfac24b04cc861667

SHA1
aeb115fedc21683559d9fb7681849fd7a599c0e3

SHA256
6bd7a7e68c336a18869182b2ab649d5b854d61ab590403749c393ae2a8ccb0d0

SHA512
a2a0a8769df4d1656a219fa317d95b9f16575574e8ce501a3c49be90be1333d6a481e219e714270b2e2df3c9f16df3d3aea91dd14d385e386d30ad0ab8d54fd2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\279531.dat

Filesize
1.2MB

MD5
0808f27a101bef2a258fa07bf3e00e19

SHA1
bc2a1c3b6eb916be35ac38fea80ec1187185e707

SHA256
34768877e73cb3fd875e43d03bea2bef681dea6356b6f1e4949f968685967df8

SHA512
426703cbef316b2d30362b628d972766161589ef7f7713e9e085c69ace79054c2a2c536f77967924f3c366b1d9022378cf9935cc6d6cbe2097738277b4edd70d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\990566.dat

Filesize
1.2MB

MD5
28348d4c5cf61fedfac24b04cc861667

SHA1
aeb115fedc21683559d9fb7681849fd7a599c0e3

SHA256
6bd7a7e68c336a18869182b2ab649d5b854d61ab590403749c393ae2a8ccb0d0

SHA512
a2a0a8769df4d1656a219fa317d95b9f16575574e8ce501a3c49be90be1333d6a481e219e714270b2e2df3c9f16df3d3aea91dd14d385e386d30ad0ab8d54fd2

Download Submit
memory/340-117-0x0000000002020000-0x0000000002181000-memory.dmp

Filesize
1.4MB

Download
memory/340-118-0x00000000001F0000-0x000000000026F000-memory.dmp

Filesize
508KB

Download
memory/340-119-0x0000000002020000-0x0000000002181000-memory.dmp

Filesize
1.4MB

Download
memory/340-120-0x0000000002020000-0x0000000002181000-memory.dmp

Filesize
1.4MB

Download
memory/1900-121-0x0000000001F90000-0x00000000020F1000-memory.dmp

Filesize
1.4MB

Download
memory/1900-122-0x0000000001DB0000-0x0000000001E2F000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing