Malware Analysis Report

2024-10-23 15:36

Sample ID 230914-kr6d6aag7s
Target e4919447b9ea5c4f02a0746ab64f8e7e.exe
SHA256 f583b43851502322a69c67f0f8f3e50f296f397e4bbb50bc646bccca6ee79215
Tags
bumblebee js1 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f583b43851502322a69c67f0f8f3e50f296f397e4bbb50bc646bccca6ee79215

Threat Level: Known bad

The file e4919447b9ea5c4f02a0746ab64f8e7e.exe was found to be: Known bad.

Malicious Activity Summary

bumblebee js1 trojan

BumbleBee

Suspicious use of NtCreateThreadExHideFromDebugger

Unsigned PE

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-09-14 08:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-14 08:51

Reported

2023-09-14 08:53

Platform

win7-20230831-en

Max time kernel

122s

Max time network

125s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4919447b9ea5c4f02a0746ab64f8e7e.dll

Signatures

BumbleBee

trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4919447b9ea5c4f02a0746ab64f8e7e.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 v5b6ml4o0nq.life udp
DE 116.203.151.240:443 v5b6ml4o0nq.life tcp

Files

memory/1696-0-0x0000000001C80000-0x0000000001CF9000-memory.dmp

memory/1696-1-0x0000000001F70000-0x000000000207A000-memory.dmp

memory/1696-2-0x0000000077520000-0x00000000776C9000-memory.dmp

memory/1696-5-0x0000000001F70000-0x000000000207A000-memory.dmp

memory/1696-4-0x0000000077520000-0x00000000776C9000-memory.dmp

memory/1696-6-0x0000000001F70000-0x000000000207A000-memory.dmp

memory/1696-7-0x0000000001C80000-0x0000000001CF9000-memory.dmp

memory/1696-8-0x0000000077520000-0x00000000776C9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-14 08:51

Reported

2023-09-14 08:53

Platform

win10v2004-20230831-en

Max time kernel

142s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4919447b9ea5c4f02a0746ab64f8e7e.dll

Signatures

BumbleBee

trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e4919447b9ea5c4f02a0746ab64f8e7e.dll

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 v5b6ml4o0nq.life udp
DE 116.203.151.240:443 v5b6ml4o0nq.life tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.151.203.116.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 126.186.247.8.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

memory/380-0-0x00000000029A0000-0x0000000002A19000-memory.dmp

memory/380-1-0x0000000002B40000-0x0000000002C4A000-memory.dmp

memory/380-2-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp

memory/380-3-0x0000000002B40000-0x0000000002C4A000-memory.dmp

memory/380-5-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp

memory/380-4-0x0000000002B40000-0x0000000002C4A000-memory.dmp

memory/380-6-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp

memory/380-7-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp

memory/380-8-0x0000000002B40000-0x0000000002C4A000-memory.dmp

memory/380-9-0x00000000029A0000-0x0000000002A19000-memory.dmp

memory/380-10-0x00007FFF981F0000-0x00007FFF983E5000-memory.dmp

memory/1916-11-0x000001F02B880000-0x000001F02B890000-memory.dmp

memory/1916-27-0x000001F02B980000-0x000001F02B990000-memory.dmp

memory/1916-43-0x000001F033F70000-0x000001F033F71000-memory.dmp

memory/1916-44-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-45-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-46-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-47-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-48-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-49-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-50-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-51-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-52-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-53-0x000001F033FA0000-0x000001F033FA1000-memory.dmp

memory/1916-54-0x000001F033BC0000-0x000001F033BC1000-memory.dmp

memory/1916-55-0x000001F033BB0000-0x000001F033BB1000-memory.dmp

memory/1916-57-0x000001F033BC0000-0x000001F033BC1000-memory.dmp

memory/1916-60-0x000001F033BB0000-0x000001F033BB1000-memory.dmp

memory/1916-63-0x000001F033AF0000-0x000001F033AF1000-memory.dmp

memory/1916-75-0x000001F033CF0000-0x000001F033CF1000-memory.dmp

memory/1916-77-0x000001F033D00000-0x000001F033D01000-memory.dmp

memory/1916-78-0x000001F033D00000-0x000001F033D01000-memory.dmp

memory/1916-79-0x000001F033E10000-0x000001F033E11000-memory.dmp