bumblebee | 07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1

Analysis

max time kernel
127s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2023 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inv(05-19)Copy#10-44-05.js
Size

777KB
MD5

2f9a34e5769063b7357414e4158d7831
SHA1

8c67c7646ce4b085c6f45863a9d0e38742cd688e
SHA256

07d2cb0dc0cd353fb210b065733743078e79c4a27c42872cd516a6b1fb1f00d1
SHA512

6c71c761fad3319d46852381e05cb35100132c5ba44ac986439cb327d5d9d4b1a83a88cb84d95e192df893a93e53aa73a08127267cd0a3b82a23f57da8c7858e
SSDEEP

24576:63BAIiUtmsPkFUcZnGVVTiEKMqSFcpNSXpNiELOjoEzZcQlGzJpxuJNM3cBFWUQo:hwmsPkqknQVTiEKMqSFcpQXpNiELOjoe

Score

10^/10

bumblebee mc1905 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	2576	wscript.exe
6	2576	wscript.exe
8	2576	wscript.exe
13	2576	wscript.exe
15	3696	rundll32.exe
37	3696	rundll32.exe
45	3696	rundll32.exe
60	3696	rundll32.exe
61	3696	rundll32.exe
63	3696	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
3696	rundll32.exe
1148	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
3696	rundll32.exe
1148	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 3696	2576	wscript.exe	83
PID 2576 wrote to memory of 3696	2576	wscript.exe	83
PID 2576 wrote to memory of 1148	2576	wscript.exe	84
PID 2576 wrote to memory of 1148	2576	wscript.exe	84

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Inv(05-19)Copy#10-44-05.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\435898.dat,eOXScagadNKe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:3696
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\659851.dat,eOXScagadNKe
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\435898.dat

Filesize
1.2MB

MD5
0206d04221884b1dba7343ba27cfafb5

SHA1
bd8448fb3926ce48b7bc5c53ff3afe72b82e13eb

SHA256
9739bd230c978031c92ec8eee2fbd1674b1846c44e17c7628ab5f8ffb8c5f73b

SHA512
3a3b5c581a2c349e74d48d00e1d934f61aca31f1549aa58fa5485bea6c0613a5e73eb6ce52cb7746cfd47a17bdb0aa0b2e8e898ff7507cd46647a549e0845bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\435898.dat

Filesize
1.2MB

MD5
0206d04221884b1dba7343ba27cfafb5

SHA1
bd8448fb3926ce48b7bc5c53ff3afe72b82e13eb

SHA256
9739bd230c978031c92ec8eee2fbd1674b1846c44e17c7628ab5f8ffb8c5f73b

SHA512
3a3b5c581a2c349e74d48d00e1d934f61aca31f1549aa58fa5485bea6c0613a5e73eb6ce52cb7746cfd47a17bdb0aa0b2e8e898ff7507cd46647a549e0845bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\659851.dat

Filesize
1.2MB

MD5
af2adddb1918ea393c92bbed784ba54e

SHA1
855e3bdf22492a1887f22116f16f07174081af10

SHA256
726bec1d2c6cd67ba5defe9fc3a05ab9e46b83ec0cc25757af2708b5c8b0737e

SHA512
e11966f935c43eca7deeac819170d1f4ec2fc69f00ca4da9dcacf1f2434787b3d6754801b3628d352c2c10ec929ec34df5fbe7150e752cf80367a0b38d09fae5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\659851.dat

Filesize
1.2MB

MD5
af2adddb1918ea393c92bbed784ba54e

SHA1
855e3bdf22492a1887f22116f16f07174081af10

SHA256
726bec1d2c6cd67ba5defe9fc3a05ab9e46b83ec0cc25757af2708b5c8b0737e

SHA512
e11966f935c43eca7deeac819170d1f4ec2fc69f00ca4da9dcacf1f2434787b3d6754801b3628d352c2c10ec929ec34df5fbe7150e752cf80367a0b38d09fae5

Download Submit
memory/1148-154-0x0000024C968C0000-0x0000024C96A21000-memory.dmp

Filesize
1.4MB

Download
memory/1148-155-0x0000024C965A0000-0x0000024C9661F000-memory.dmp

Filesize
508KB

Download
memory/3696-150-0x000001CD6A680000-0x000001CD6A7E1000-memory.dmp

Filesize
1.4MB

Download
memory/3696-151-0x000001CD68BD0000-0x000001CD68C4F000-memory.dmp

Filesize
508KB

Download
memory/3696-152-0x000001CD6A680000-0x000001CD6A7E1000-memory.dmp

Filesize
1.4MB

Download
memory/3696-153-0x000001CD6A680000-0x000001CD6A7E1000-memory.dmp

Filesize
1.4MB

Download