Analysis
-
max time kernel
130s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
21-05-2023 20:03
General
-
Target
Inv(05-19)Copy#19-48-01.js
-
Size
772KB
-
MD5
c56f106025e1853958f0745516c0b88f
-
SHA1
f3506be345eafb653e2c2c18410b8c4f5d1a2c26
-
SHA256
bcd9b7d4ca83e96704e00e378728db06291e8e2b50d68db22efd1f8974d1ca91
-
SHA512
facf6c8c5690209c1c905f96da1f6ef1ad8b86ab752e8714e73ae48781ff8bfec17813816862fe5d75a96d7c316c083d46e27accf4685e060c6555e882e24278
-
SSDEEP
24576:93vle/E45Mk2h1K3G9EhRe4jEER9Fwf8TxzM34LM9gkIy9ByxZO9TLd8wDNGOi5t:plZ45Mk2h1aG9EhRe4jEy9Fwf8TxzM3s
Malware Config
Extracted
bumblebee
mc1905
92.119.178.40:443
32.54.188.44:443
194.135.33.160:443
192.198.82.59:443
103.175.16.151:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Blocklisted process makes network request 9 IoCs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\Inv(05-19)Copy#19-48-01.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\970395.dat,eOXScagadNKe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\58647.dat,eOXScagadNKe2⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD54f56eb0fb2ef73476a8f4e7a191edf17
SHA19a61b80dd5fb583065fd569480f0e142e2a533b5
SHA2562d11e7cf72af4e1dab2c978d527d7a2c162cbc2e9cc32268479ec5b2ae8e08a2
SHA512196ac74e84f6a662c53dd96542c19d06b825748fbfdae150d267c055bdaf77327d62ca8e82c1189acb41907ab02073ac34ebb1d5f26ed8a7719dfe1d0c8160d5
-
Filesize
1.2MB
MD54f56eb0fb2ef73476a8f4e7a191edf17
SHA19a61b80dd5fb583065fd569480f0e142e2a533b5
SHA2562d11e7cf72af4e1dab2c978d527d7a2c162cbc2e9cc32268479ec5b2ae8e08a2
SHA512196ac74e84f6a662c53dd96542c19d06b825748fbfdae150d267c055bdaf77327d62ca8e82c1189acb41907ab02073ac34ebb1d5f26ed8a7719dfe1d0c8160d5
-
Filesize
1.2MB
MD53f52236ae776bccf4ed9bdb490ba821d
SHA1b5f09f5eb857c7f4563f0e9e11dd68d53885fccc
SHA2565fd1881863f9e1a14a6832df32f2fb5f116b4c420dfdee6545112a647738aa47
SHA512c482cc1fc2e586da4d4e957cb2fdc076055df6d5d1b077ef2f081e6c9e77694e410634f9d13d7c6a6eb2c9ab214466b2f74e1003e27167780306311a68928272
-
Filesize
1.2MB
MD53f52236ae776bccf4ed9bdb490ba821d
SHA1b5f09f5eb857c7f4563f0e9e11dd68d53885fccc
SHA2565fd1881863f9e1a14a6832df32f2fb5f116b4c420dfdee6545112a647738aa47
SHA512c482cc1fc2e586da4d4e957cb2fdc076055df6d5d1b077ef2f081e6c9e77694e410634f9d13d7c6a6eb2c9ab214466b2f74e1003e27167780306311a68928272
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
508KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
508KB