bumblebee | 38c37a12323334e8362d19f6788755fc5ba35f51b9f53a07ef5481f906807864

Resubmissions

09-10-2023 22:51

231009-2sxxvaha2s 10

20-06-2023 19:13

230620-xxhlhafa7y 10

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2023 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_06.20.msi
Size

2.2MB
MD5

41f1f58087ac8ca8009d07032bf4319f
SHA1

8ab6be5ac1e70f9cf1a970e4a7b2c53f29dac067
SHA256

38c37a12323334e8362d19f6788755fc5ba35f51b9f53a07ef5481f906807864
SHA512

0c60361265f062afeab7f03e648da982050fa58b86bdf90d972b2a936a5c316cb45c6d696a106f18797e2d9810ace6ca12a13703be4cbaf618c50f3e4d4ba359
SSDEEP

49152:QHVNAxnHKwlpMBHOZ7wZAf8dwjeZvpA+ZSqfShYNUeCMziwF:Q12xHKwlpOH00dw0pFsbJZA

Score

10^/10

bumblebee msi11606 trojan

Malware Config

Extracted

Family

bumblebee

Botnet

msi11606

176.111.174.67:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a webshell malware written in C++.
trojan bumblebee

Loads dropped DLL 1 IoCs

pid	Process
1740	regsvr32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1740	regsvr32.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{DD475EBC-D960-4AF4-BB8A-BE91FA942756}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4AE.tmp	msiexec.exe
File created	C:\Windows\Installer\e5803c6.msi	msiexec.exe
File created	C:\Windows\Installer\e5803c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5803c4.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fc6bda6a7e0913030000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fc6bda6a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fc6bda6a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfc6bda6a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fc6bda6a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4040	msiexec.exe
4040	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1212	msiexec.exe
Token: SeSecurityPrivilege	4040	msiexec.exe
Token: SeCreateTokenPrivilege	1212	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1212	msiexec.exe
Token: SeLockMemoryPrivilege	1212	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1212	msiexec.exe
Token: SeMachineAccountPrivilege	1212	msiexec.exe
Token: SeTcbPrivilege	1212	msiexec.exe
Token: SeSecurityPrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeLoadDriverPrivilege	1212	msiexec.exe
Token: SeSystemProfilePrivilege	1212	msiexec.exe
Token: SeSystemtimePrivilege	1212	msiexec.exe
Token: SeProfSingleProcessPrivilege	1212	msiexec.exe
Token: SeIncBasePriorityPrivilege	1212	msiexec.exe
Token: SeCreatePagefilePrivilege	1212	msiexec.exe
Token: SeCreatePermanentPrivilege	1212	msiexec.exe
Token: SeBackupPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeShutdownPrivilege	1212	msiexec.exe
Token: SeDebugPrivilege	1212	msiexec.exe
Token: SeAuditPrivilege	1212	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1212	msiexec.exe
Token: SeChangeNotifyPrivilege	1212	msiexec.exe
Token: SeRemoteShutdownPrivilege	1212	msiexec.exe
Token: SeUndockPrivilege	1212	msiexec.exe
Token: SeSyncAgentPrivilege	1212	msiexec.exe
Token: SeEnableDelegationPrivilege	1212	msiexec.exe
Token: SeManageVolumePrivilege	1212	msiexec.exe
Token: SeImpersonatePrivilege	1212	msiexec.exe
Token: SeCreateGlobalPrivilege	1212	msiexec.exe
Token: SeBackupPrivilege	3328	vssvc.exe
Token: SeRestorePrivilege	3328	vssvc.exe
Token: SeAuditPrivilege	3328	vssvc.exe
Token: SeBackupPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1212	msiexec.exe
1212	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 2064	4040	msiexec.exe	101
PID 4040 wrote to memory of 2064	4040	msiexec.exe	101
PID 4040 wrote to memory of 1740	4040	msiexec.exe	103
PID 4040 wrote to memory of 1740	4040	msiexec.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\doc_06.20.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1212

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2064
- C:\Windows\system32\regsvr32.exe
  regsvr32 "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\e1.dll"
  2⤵
  - Loads dropped DLL
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5803c5.rbs

Filesize
7KB

MD5
3d34577482110bfebe2e23ef09ac3d7d

SHA1
fd2e5494d5350df271d1d5f83c00e14389ee0ebb

SHA256
215901dbe1d8d245aed9f273b13d3556ae4a56683a280653611a06e08c61f82e

SHA512
5f4661e7d9435ac36f98877a01e6e548f8ddbe16885ca063ce6593778fdb362e783520b5761dd9351ad97228c3b9bf758c710c164992a86a57d3447b73d46a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\e1.dll

Filesize
2.5MB

MD5
04889da884690bd296877a6a2453a715

SHA1
235a8e9a16a4e963fb2c453cbb469ea3e1590da3

SHA256
d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57

SHA512
74875267c6b96ef6c44ac19021f96213cd115061f881b22d849ebc98aa21c92af64f46c86b908b2da53d3f6fe8d9e7bd291ce11882cff0d11bf1294a39c58cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\e1.dll

Filesize
2.5MB

MD5
04889da884690bd296877a6a2453a715

SHA1
235a8e9a16a4e963fb2c453cbb469ea3e1590da3

SHA256
d1270e29d9a235bb456db76f5c88042eb06964145dd2b31f2ef87d5af1254e57

SHA512
74875267c6b96ef6c44ac19021f96213cd115061f881b22d849ebc98aa21c92af64f46c86b908b2da53d3f6fe8d9e7bd291ce11882cff0d11bf1294a39c58cc2

Download Submit
C:\Windows\Installer\e5803c4.msi

Filesize
2.2MB

MD5
41f1f58087ac8ca8009d07032bf4319f

SHA1
8ab6be5ac1e70f9cf1a970e4a7b2c53f29dac067

SHA256
38c37a12323334e8362d19f6788755fc5ba35f51b9f53a07ef5481f906807864

SHA512
0c60361265f062afeab7f03e648da982050fa58b86bdf90d972b2a936a5c316cb45c6d696a106f18797e2d9810ace6ca12a13703be4cbaf618c50f3e4d4ba359

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
e57190a29db44f7b25b4eb1856ccb63e

SHA1
fb67988cff05817e95e1ba2da8eca592299d67ff

SHA256
78df67223e1b2f41344fc6f6236885c0bf4549576b7031e7ee12fea130850c2b

SHA512
c2be6f35fc87cf6984e1910accfc3493e2547e172f6ce91c6a6ac650e058156b0ad4c393e04bd554ba477511546e796a2d8ca46127c5e63aac2c16c30b5a3398

Download Submit
\??\Volume{6ada6bfc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4ca8ecfe-767b-43cb-b65f-88996f642c18}_OnDiskSnapshotProp

Filesize
5KB

MD5
2cd9c93d96f2a69b255a264d1acaf1f5

SHA1
5e94d031875ed6ed8190005a39fe7c855a09426f

SHA256
b4bd53159badd58b0a6922cdd329da69049d5053410f5a7504bd107bad79a5e6

SHA512
2310dca62b98d3f8f296c9205c5274cc467d8e15a1800083230c4cd5c6c0f0d6ec3c1a460c7ea24c9a7cad528ed8987d08f10025c277502d57528dc2b7f0158e

Download Submit
memory/1740-26-0x0000000002C10000-0x0000000002D71000-memory.dmp

Filesize
1.4MB

Download
memory/1740-27-0x00007FF9E5630000-0x00007FF9E5825000-memory.dmp

Filesize
2.0MB

Download
memory/1740-28-0x0000000002C10000-0x0000000002D71000-memory.dmp

Filesize
1.4MB

Download
memory/1740-29-0x0000000002C10000-0x0000000002D71000-memory.dmp

Filesize
1.4MB

Download
memory/1740-30-0x0000000002C10000-0x0000000002D71000-memory.dmp

Filesize
1.4MB

Download
memory/1740-31-0x00007FF9E5630000-0x00007FF9E5825000-memory.dmp

Filesize
2.0MB

Download
memory/1740-32-0x00007FF9E5630000-0x00007FF9E5825000-memory.dmp

Filesize
2.0MB

Download
memory/1740-24-0x0000000002C10000-0x0000000002D71000-memory.dmp

Filesize
1.4MB

Download
memory/1740-25-0x0000000002AA0000-0x0000000002C06000-memory.dmp

Filesize
1.4MB

Download
memory/1740-35-0x0000000002AA0000-0x0000000002C06000-memory.dmp

Filesize
1.4MB

Download