Malware Analysis Report

2024-10-23 15:35

Sample ID 231009-2d8e2agg9z
Target LdrAddX64_out_cr70.dll.exe
SHA256 15b7cb2818530bbf0b55ea608d85df1bd97004a8556a358c11f84dbb93b893f7
Tags
bumblebee lg1010 trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

15b7cb2818530bbf0b55ea608d85df1bd97004a8556a358c11f84dbb93b893f7

Threat Level: Known bad

The file LdrAddX64_out_cr70.dll.exe was found to be: Known bad.

Malicious Activity Summary

bumblebee lg1010 trojan

BumbleBee

Suspicious use of NtCreateThreadExHideFromDebugger

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-09 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-09 22:29

Reported

2023-10-09 22:31

Platform

win7-20230831-en

Max time kernel

132s

Max time network

135s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LdrAddX64_out_cr70.dll

Signatures

BumbleBee

trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LdrAddX64_out_cr70.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g7qf7ew5c.life udp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp

Files

memory/1852-0-0x0000000001D10000-0x0000000001D7F000-memory.dmp

memory/1852-1-0x0000000001F80000-0x000000000208A000-memory.dmp

memory/1852-4-0x0000000001F80000-0x000000000208A000-memory.dmp

memory/1852-3-0x0000000077110000-0x00000000772B9000-memory.dmp

memory/1852-5-0x0000000077110000-0x00000000772B9000-memory.dmp

memory/1852-7-0x0000000077110000-0x00000000772B9000-memory.dmp

memory/1852-6-0x0000000077110000-0x00000000772B9000-memory.dmp

memory/1852-8-0x0000000001F80000-0x000000000208A000-memory.dmp

memory/1852-9-0x0000000001D10000-0x0000000001D7F000-memory.dmp

memory/1852-10-0x0000000077110000-0x00000000772B9000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-09 22:29

Reported

2023-10-09 22:31

Platform

win10v2004-20230915-en

Max time kernel

150s

Max time network

156s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LdrAddX64_out_cr70.dll

Signatures

BumbleBee

trojan bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\LdrAddX64_out_cr70.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g7qf7ew5c.life udp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 189.53.140.128.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp
DE 128.140.53.189:443 g7qf7ew5c.life tcp

Files

memory/5016-0-0x0000000002A50000-0x0000000002ABF000-memory.dmp

memory/5016-1-0x00007FFA95070000-0x00007FFA95265000-memory.dmp

memory/5016-3-0x00007FFA95070000-0x00007FFA95265000-memory.dmp

memory/5016-5-0x00007FFA95070000-0x00007FFA95265000-memory.dmp

memory/5016-6-0x0000000002C10000-0x0000000002D1A000-memory.dmp

memory/5016-4-0x0000000002C10000-0x0000000002D1A000-memory.dmp

memory/5016-2-0x0000000002C10000-0x0000000002D1A000-memory.dmp

memory/5016-7-0x0000000002C10000-0x0000000002D1A000-memory.dmp

memory/5016-8-0x0000000002A50000-0x0000000002ABF000-memory.dmp

memory/5016-9-0x00007FFA95070000-0x00007FFA95265000-memory.dmp