Analysis Overview
SHA256
f583b43851502322a69c67f0f8f3e50f296f397e4bbb50bc646bccca6ee79215
Threat Level: Known bad
The file e4919447b9ea5c4f02a0746ab64f8e7e.exe was found to be: Known bad.
Malicious Activity Summary
BumbleBee
Suspicious use of NtCreateThreadExHideFromDebugger
Unsigned PE
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-09-14 08:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-14 08:51
Reported
2023-09-14 08:53
Platform
win7-20230831-en
Max time kernel
122s
Max time network
125s
Command Line
Signatures
BumbleBee
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4919447b9ea5c4f02a0746ab64f8e7e.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v5b6ml4o0nq.life | udp |
| DE | 116.203.151.240:443 | v5b6ml4o0nq.life | tcp |
Files
memory/1696-0-0x0000000001C80000-0x0000000001CF9000-memory.dmp
memory/1696-1-0x0000000001F70000-0x000000000207A000-memory.dmp
memory/1696-2-0x0000000077520000-0x00000000776C9000-memory.dmp
memory/1696-5-0x0000000001F70000-0x000000000207A000-memory.dmp
memory/1696-4-0x0000000077520000-0x00000000776C9000-memory.dmp
memory/1696-6-0x0000000001F70000-0x000000000207A000-memory.dmp
memory/1696-7-0x0000000001C80000-0x0000000001CF9000-memory.dmp
memory/1696-8-0x0000000077520000-0x00000000776C9000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-14 08:51
Reported
2023-09-14 08:53
Platform
win10v2004-20230831-en
Max time kernel
142s
Max time network
154s
Command Line
Signatures
BumbleBee
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4919447b9ea5c4f02a0746ab64f8e7e.dll
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | v5b6ml4o0nq.life | udp |
| DE | 116.203.151.240:443 | v5b6ml4o0nq.life | tcp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.151.203.116.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.186.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/380-0-0x00000000029A0000-0x0000000002A19000-memory.dmp
memory/380-1-0x0000000002B40000-0x0000000002C4A000-memory.dmp
memory/380-2-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp
memory/380-3-0x0000000002B40000-0x0000000002C4A000-memory.dmp
memory/380-5-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp
memory/380-4-0x0000000002B40000-0x0000000002C4A000-memory.dmp
memory/380-6-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp
memory/380-7-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp
memory/380-8-0x0000000002B40000-0x0000000002C4A000-memory.dmp
memory/380-9-0x00000000029A0000-0x0000000002A19000-memory.dmp
memory/380-10-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp
memory/1916-11-0x000001F02B880000-0x000001F02B890000-memory.dmp
memory/1916-27-0x000001F02B980000-0x000001F02B990000-memory.dmp
memory/1916-43-0x000001F033F70000-0x000001F033F71000-memory.dmp
memory/1916-44-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-45-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-46-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-47-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-48-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-49-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-50-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-51-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-52-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-53-0x000001F033FA0000-0x000001F033FA1000-memory.dmp
memory/1916-54-0x000001F033BC0000-0x000001F033BC1000-memory.dmp
memory/1916-55-0x000001F033BB0000-0x000001F033BB1000-memory.dmp
memory/1916-57-0x000001F033BC0000-0x000001F033BC1000-memory.dmp
memory/1916-60-0x000001F033BB0000-0x000001F033BB1000-memory.dmp
memory/1916-63-0x000001F033AF0000-0x000001F033AF1000-memory.dmp
memory/1916-75-0x000001F033CF0000-0x000001F033CF1000-memory.dmp
memory/1916-77-0x000001F033D00000-0x000001F033D01000-memory.dmp
memory/1916-78-0x000001F033D00000-0x000001F033D01000-memory.dmp
memory/1916-79-0x000001F033E10000-0x000001F033E11000-memory.dmp