bumblebee | bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91

General

Target

Inv(05-19)Copy#19-48-01.js
Size

772KB
MD5

c56f106025e1853958f0745516c0b88f
SHA1

f3506be345eafb653e2c2c18410b8c4f5d1a2c26
SHA256

bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91
SHA512

facf6c8c5690209c1c905f96da1f6ef1ad8b86ab752e8714e73ae48781ff8bfec17813816862fe5d75a96d7c316c083d46e27accf4685e060c6555e882e24278
SSDEEP

24576:93vle/E45Mk2h1K3G9EhRe4jEER9Fwf8TxzM34LM9gkIy9ByxZO9TLd8wDNGOi5t:plZ45Mk2h1aG9EhRe4jEy9Fwf8TxzM3s

Score

10^/10

bumblebee mc1905 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

C2

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 10 IoCs

flow	pid	Process
4	1412	wscript.exe
6	1412	wscript.exe
8	1412	wscript.exe
10	1412	wscript.exe
11	1612	rundll32.exe
17	1612	rundll32.exe
20	1612	rundll32.exe
23	1612	rundll32.exe
24	1612	rundll32.exe
27	1612	rundll32.exe

Downloads MZ/PE file

Loads dropped DLL 2 IoCs

pid	Process
1612	rundll32.exe
1940	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1612	rundll32.exe
1940	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	wscript.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1412 wrote to memory of 1612	1412	wscript.exe	30
PID 1412 wrote to memory of 1612	1412	wscript.exe	30
PID 1412 wrote to memory of 1612	1412	wscript.exe	30
PID 1412 wrote to memory of 1940	1412	wscript.exe	31
PID 1412 wrote to memory of 1940	1412	wscript.exe	31
PID 1412 wrote to memory of 1940	1412	wscript.exe	31

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Inv(05-19)Copy#19-48-01.js
1⤵
- Blocklisted process makes network request
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1412
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\468520.dat,eOXScagadNKe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1612
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\207605.dat,eOXScagadNKe
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar14E0.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\207605.dat

Filesize
1.2MB

MD5
1908938d16a8d6bc4bfcf4e30372a8d4

SHA1
73999e5d51b760acfea77a062147566e36848118

SHA256
b80dcc464b29f7be0aae9eba4532fcc42d5da6e3452c5cb62a9755ca8d4cd19d

SHA512
58dbd34db87192f41397b5a2f8690a3f025b1b4cc7dbf54eef4d3c53ddbbb7a20fb0336038f59ef32730d4a5ca033fa8af4a1848968028486f128a56bf070d1c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\468520.dat

Filesize
1.2MB

MD5
ddca6d0fb96ba99f3a37d5b9d8a1f015

SHA1
d33f1482d9be9a89d9170222bead4ee93f424e18

SHA256
17d9d43a20027b9ec42ddf16de8ac8a55059c1140d3d28875b33cc34ad4b5c6c

SHA512
74166defef66e755150629dc00c5353713e59e6963dc04ec259712ac6c8318f06ed0dc07b23bf88e1b7f365ea3f937bc877103e87b31e2e78be50a8832d5f0f8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\207605.dat

Filesize
1.2MB

MD5
1908938d16a8d6bc4bfcf4e30372a8d4

SHA1
73999e5d51b760acfea77a062147566e36848118

SHA256
b80dcc464b29f7be0aae9eba4532fcc42d5da6e3452c5cb62a9755ca8d4cd19d

SHA512
58dbd34db87192f41397b5a2f8690a3f025b1b4cc7dbf54eef4d3c53ddbbb7a20fb0336038f59ef32730d4a5ca033fa8af4a1848968028486f128a56bf070d1c

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\468520.dat

Filesize
1.2MB

MD5
ddca6d0fb96ba99f3a37d5b9d8a1f015

SHA1
d33f1482d9be9a89d9170222bead4ee93f424e18

SHA256
17d9d43a20027b9ec42ddf16de8ac8a55059c1140d3d28875b33cc34ad4b5c6c

SHA512
74166defef66e755150629dc00c5353713e59e6963dc04ec259712ac6c8318f06ed0dc07b23bf88e1b7f365ea3f937bc877103e87b31e2e78be50a8832d5f0f8

Download Submit
memory/1612-117-0x00000000020B0000-0x0000000002211000-memory.dmp

Filesize
1.4MB

Download
memory/1612-118-0x00000000020B0000-0x0000000002211000-memory.dmp

Filesize
1.4MB

Download
memory/1612-119-0x00000000020B0000-0x0000000002211000-memory.dmp

Filesize
1.4MB

Download
memory/1612-120-0x0000000000190000-0x000000000020F000-memory.dmp

Filesize
508KB

Download
memory/1940-121-0x0000000002040000-0x00000000021A1000-memory.dmp

Filesize
1.4MB

Download
memory/1940-122-0x0000000000150000-0x00000000001CF000-memory.dmp

Filesize
508KB

Download

Analysis

Sharing