bumblebee | bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91

Analysis

max time kernel
150s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2023 19:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Inv(05-19)Copy#19-48-01.js
Size

772KB
MD5

c56f106025e1853958f0745516c0b88f
SHA1

f3506be345eafb653e2c2c18410b8c4f5d1a2c26
SHA256

bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91
SHA512

facf6c8c5690209c1c905f96da1f6ef1ad8b86ab752e8714e73ae48781ff8bfec17813816862fe5d75a96d7c316c083d46e27accf4685e060c6555e882e24278
SSDEEP

24576:93vle/E45Mk2h1K3G9EhRe4jEER9Fwf8TxzM34LM9gkIy9ByxZO9TLd8wDNGOi5t:plZ45Mk2h1aG9EhRe4jEy9Fwf8TxzM3s

Score

10^/10

bumblebee mc1905 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

mc1905

92.119.178.40:443

32.54.188.44:443

194.135.33.160:443

192.198.82.59:443

103.175.16.151:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Blocklisted process makes network request 10 IoCs

flow	pid	Process
14	3384	wscript.exe
17	3384	wscript.exe
24	3384	wscript.exe
28	2616	rundll32.exe
42	2616	rundll32.exe
59	2616	rundll32.exe
63	2616	rundll32.exe
64	2616	rundll32.exe
66	2616	rundll32.exe
67	2616	rundll32.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 2 IoCs

pid	Process
2616	rundll32.exe
2200	rundll32.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2616	rundll32.exe
2200	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2616	3384	wscript.exe	85
PID 3384 wrote to memory of 2616	3384	wscript.exe	85
PID 3384 wrote to memory of 2200	3384	wscript.exe	86
PID 3384 wrote to memory of 2200	3384	wscript.exe	86

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Inv(05-19)Copy#19-48-01.js
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\885251.dat,eOXScagadNKe
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2616
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\815165.dat,eOXScagadNKe
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2200

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\815165.dat

Filesize
1.2MB

MD5
461c2103260f134492b83407236f1d41

SHA1
4dc9b33eb54f198d1e9d635d9a204e46fee3900b

SHA256
95870f5f19e665f2f8b63df3d3374d76ba9eaf8d20ba9f2a36e899a4fd6a310f

SHA512
eaa27683c28ab1cd0800320a3d5b5b237ffaa9949a893df9486bf5f76c0ae7c2a70384173cdd7489fadded2ae0217ab6aaf3dd8fd929abf6ddae26183e2bea06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\815165.dat

Filesize
1.2MB

MD5
461c2103260f134492b83407236f1d41

SHA1
4dc9b33eb54f198d1e9d635d9a204e46fee3900b

SHA256
95870f5f19e665f2f8b63df3d3374d76ba9eaf8d20ba9f2a36e899a4fd6a310f

SHA512
eaa27683c28ab1cd0800320a3d5b5b237ffaa9949a893df9486bf5f76c0ae7c2a70384173cdd7489fadded2ae0217ab6aaf3dd8fd929abf6ddae26183e2bea06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\885251.dat

Filesize
1.2MB

MD5
fc9152c68986e5cb45341710fd887e31

SHA1
1379c50d013e9a164fb22eef1f22b89ed203cba6

SHA256
a712deb89b9b5f9db0e85f52949585aa5fece1f198cb8ac11e9ae12b06a0f8f4

SHA512
4a42dad01cc8c714dd0a1f3e0662136aa4af2f922632b4a30cdd90ca7d0754bcbc575a5b08ca29b1e5ed0fe87ce2996e7a779be9eb2cd4c32604b6dc3a4dceb0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\885251.dat

Filesize
1.2MB

MD5
fc9152c68986e5cb45341710fd887e31

SHA1
1379c50d013e9a164fb22eef1f22b89ed203cba6

SHA256
a712deb89b9b5f9db0e85f52949585aa5fece1f198cb8ac11e9ae12b06a0f8f4

SHA512
4a42dad01cc8c714dd0a1f3e0662136aa4af2f922632b4a30cdd90ca7d0754bcbc575a5b08ca29b1e5ed0fe87ce2996e7a779be9eb2cd4c32604b6dc3a4dceb0

Download Submit
memory/2200-152-0x00000140CF910000-0x00000140CFA71000-memory.dmp

Filesize
1.4MB

Download
memory/2200-153-0x00000140CF6E0000-0x00000140CF75F000-memory.dmp

Filesize
508KB

Download
memory/2616-148-0x00000270F12F0000-0x00000270F1451000-memory.dmp

Filesize
1.4MB

Download
memory/2616-149-0x00000270F12F0000-0x00000270F1451000-memory.dmp

Filesize
1.4MB

Download
memory/2616-150-0x00000270F12F0000-0x00000270F1451000-memory.dmp

Filesize
1.4MB

Download
memory/2616-151-0x00000270F1110000-0x00000270F118F000-memory.dmp

Filesize
508KB

Download