Overview

overview

10

Static

static

1

AdobePDFRe...9).msi

windows7-x64

7

AdobePDFRe...9).msi

windows10-2004-x64

10

Resubmissions

09-10-2023 22:51

231009-2syt5sba42 10

26-04-2023 10:03

230426-l3jvzaae4s 10

Analysis

  • max time kernel
    148s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-10-2023 22:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AdobePDFReader (9).msi

  • Size

    2.2MB

  • MD5

    fadc9824c68402143239f764c99bb82d

  • SHA1

    7eb72321c2c1e25b11c9d44229af22a179e27ce8

  • SHA256

    9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

  • SHA512

    916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

  • SSDEEP

    49152:NMU9FgsN+TXYr+LrUcdEL9MklhGUWhe8u/g1PQNPEUI:6gFPgYrordG9t0lepg1P2XI

Score
10/10
bumblebeead2404trojan

Malware Config

Extracted

Family

bumblebee

Botnet

ad2404

C2

149.3.170.185:443

23.108.57.117:443

199.195.249.67:443

103.175.16.149:443

209.141.58.129:443

192.254.79.106:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Blocklisted process makes network request 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\AdobePDFReader (9).msi"
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1636
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3316
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2096
      • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
        "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1524
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1"
        2⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hrfw3y23\hrfw3y23.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2340
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9FD5.tmp" "c:\Users\Admin\AppData\Local\Temp\hrfw3y23\CSC93661F016D3C4C93A9775171481227.TMP"
            4⤵
              PID:3988
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2zni4u2\l2zni4u2.cmdline"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2160
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB6D8.tmp" "c:\Users\Admin\AppData\Local\Temp\l2zni4u2\CSC3C4C0FB7A79F48FBA8DD73B84A9E253B.TMP"
              4⤵
                PID:5064
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:3628

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e589055.rbs
          Filesize

          7KB

          MD5

          eb5ee4254d387cad2e03b632cb05a0a6

          SHA1

          f4581820b4364bdb50c146a750441f9949de530d

          SHA256

          83791165412b79a6cfecaa69eac015623626fe50ada03419132bbfb0977fb128

          SHA512

          98b79e4082c5ffac57c2daf707e43a992b8a948ea370149d5bd874472c79182504876e82e849c97c42aea76fc6194da0f8f585a27dea431e4380988fd19ada65

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\ad.ps1
          Filesize

          2.2MB

          MD5

          4e0e85a590f4972732f1f0de81aa5507

          SHA1

          8e1bcab1ac25c59c1203d808f04b53b1db5fd7eb

          SHA256

          bde15453821fff0d2ed08a8c10885c9ab4ec1ccc6b4b23a41e9e324e4e80a195

          SHA512

          2b874cf59cdc7298b7fcf6712db3ec4013fcd87b7c7bb44400a789821b35bc57e3ff4e98ccfe93bc4cb420d25b2d3e6967eab2e98abf43bb16543f454cef8953

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
          Filesize

          1.2MB

          MD5

          eb17c8572700a9b7bbfb6c1142ad443e

          SHA1

          74022bd63cf919ac44af0dcbe0e4c14756c34b2e

          SHA256

          302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

          SHA512

          e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\readerdc64.exe
          Filesize

          1.2MB

          MD5

          eb17c8572700a9b7bbfb6c1142ad443e

          SHA1

          74022bd63cf919ac44af0dcbe0e4c14756c34b2e

          SHA256

          302b598ae57ca91ba4b4b59e926f2e07a073ab9afcb98eccde02f5e84cdfef52

          SHA512

          e7660219d815bc40741fd6737c092c8f442ebbec4f18981fbf261a269c4e2e162dc0349f76eb7b03a78529021fdab9b84322de7683685ab5d512ac7b4a5a63b0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES9FD5.tmp
          Filesize

          1KB

          MD5

          9d5fe8d784a0830d47305b62ae9684c0

          SHA1

          c57aa199bf6cc3deccb00332b027fc48e51b4e65

          SHA256

          5e283d2b30b8c3e46ea9a12dc1fb5a5dd27372bb51868be2a4ff204bd080f332

          SHA512

          fd0031789e513fe7e404452d2ae1a7c6bb7086286fb90737fcf8117912669f8861d16220a2066d3489af28eccdffda7fe2177b1d41d93b1d6fe619605defe5a5

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RESB6D8.tmp
          Filesize

          1KB

          MD5

          89f422c5f12ba7ba10098fa1776a4f77

          SHA1

          1b17cecae98e6afb3deba5a582abc024ff47cf81

          SHA256

          ef783bcc3a6e41ee5385211b014c28718d7d377928a479a8f01e3aba485092a6

          SHA512

          e1f992366111613641d67a3b277868355d15e4ab56ef7db7360b6c6547489cf1bd29596fd37e3b5f15e32f3629df59670aacc9b80d0a1d5aee9e0d90cb3b5a31

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bunowfea.12r.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\hrfw3y23\hrfw3y23.dll
          Filesize

          3KB

          MD5

          b48e56bdb660a832fb70c96119234d5e

          SHA1

          d3856e6fe6fb7c04c6ee07c811eedcc48562e30d

          SHA256

          dcf3c5f0a6bdb8138bf813bd769c767bebd52f78fa8e3cb6aa465e5ee691f0be

          SHA512

          8e06a469f61ac18718af7d797a3103dcbe1cbc470c324229f223356045d200337a8405a4f13f71b6558e888a23b594e39b60ae665ae16588de240b2f033ead4c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\l2zni4u2\l2zni4u2.dll
          Filesize

          3KB

          MD5

          d8c10b9a293f34508b84bc9e1284b386

          SHA1

          32c54134d7323c32b650e0f7add72525e50d1098

          SHA256

          f3229f020e34ddbabb5a526b96dd01cda0301e12cad9fa8f9395654e4c79f13e

          SHA512

          244ab200b771aee7b6ca99a796241a07f826bbeee4f8a7a1df92de122cefc39b41cebe3849b5017eaa7a37b2d9c7b61e95c4e71a19052affad02b3c07cb7fe1d

          Download Submit

        • C:\Windows\Installer\e589054.msi
          Filesize

          2.2MB

          MD5

          fadc9824c68402143239f764c99bb82d

          SHA1

          7eb72321c2c1e25b11c9d44229af22a179e27ce8

          SHA256

          9890ae69f0a31a5656dbebce11384a70820ac49cabe9b244dfb8a5ed22617ff5

          SHA512

          916b9b9836d5003193cf4f52c501a90ba16f18ca13a05325f9e11a6ee9d05b927013c09524757f33efd153c0e1d25648233e79f9a8eaa81fd69ed79282268ef6

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          23.0MB

          MD5

          624ea8e94f720b901dc3a08eb95e1628

          SHA1

          951bc449520bf0c58d6d45b6aef5f1e947df7b32

          SHA256

          b54f89234734186edeb19680333df70de24aa3be3002e2b3a514a99c7f4718e9

          SHA512

          7b85b57e07829b49e61bca222b721ba06f8928bcf2fd7d418e1afe1e13dee0ac6c314d55a1f27a5b8572bc3c7c420e739cbdb600596a7a29adceef2078ca3a2e

          Download Submit

        • \??\Volume{990d5e2d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6ca54f11-51be-46e9-ab25-94334ac026f0}_OnDiskSnapshotProp
          Filesize

          5KB

          MD5

          eac0e9e25f5668a74f4be7e43501e575

          SHA1

          4b33968320cc8553c039eb55cfd9956c17ac2241

          SHA256

          fb6ff541bffb6d61245b8a5e103878e5b3c1ba3d5125aea6308931825437a6e9

          SHA512

          8c042221911a3fd1d208f9ee2631f1179e8fd131c60a6420aa843a30ec163194096be7168ebf4f05f4baeb2e65a66ddc2b7785bf5b638df5cf8788532a273a1c

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\hrfw3y23\CSC93661F016D3C4C93A9775171481227.TMP
          Filesize

          652B

          MD5

          73f96c075ec4d746838a3a9d752b3f7b

          SHA1

          714513754f8d4628e28c462e2251a9a5cbde4c9e

          SHA256

          a8fef4e2387b1e7af05a7505ae9cee50699cfa8a5ca9780be35c8acc98217289

          SHA512

          d06f26c827e702f953c1df8363afe8eee05960e7a5ff4f4df16bbd7f1485315ae7fc5460163cadb65c8ddc4242b115bca6e4f8dfca27fed928c45195f4574816

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\hrfw3y23\hrfw3y23.0.cs
          Filesize

          203B

          MD5

          b611be9282deb44eed731f72bcbb2b82

          SHA1

          cc1d606d853bbabd5fef87255356a0d54381c289

          SHA256

          ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

          SHA512

          63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\hrfw3y23\hrfw3y23.cmdline
          Filesize

          369B

          MD5

          400240ff235b552f284fcea7c9dbc2c3

          SHA1

          a5c93081e308d0c8b2a64f9b83b612e8db1c2458

          SHA256

          b98b8888ff444e0434c187fbf60155def4d3314a3ba40577780c24b39b5dbda1

          SHA512

          ec523b48340144e7455d0449828e1eab9ebe87f0bf2647c4921b03bc2c902585756cc570513e6c64a270042a5aaee252ff79045065b491c444c9b204dd6fd384

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\l2zni4u2\CSC3C4C0FB7A79F48FBA8DD73B84A9E253B.TMP
          Filesize

          652B

          MD5

          630055d08b4a2e7b84f08726913d4f1f

          SHA1

          42f9eae0588821642680951730901f3fb80500a0

          SHA256

          e910f7588ecadae22b240e7583252be2249a1d75d0cf0386597be522cca5d913

          SHA512

          ee047f839a1191982add75994015f2cbfb9db5b69753e39fd60ed54dc979feae683d87e77ecaf1f05034b8102f7c2d5d017b81e6f4ce1035c8a31cc9307be64f

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\l2zni4u2\l2zni4u2.0.cs
          Filesize

          582B

          MD5

          2bb8d0ee93aeae61a09adf4db6f29c1c

          SHA1

          8da3034bb8f84ea2522e276b492b2797b5db30ca

          SHA256

          68d44e3c373d2aec9dacf51326cbfebcba76c1c1a56545e5e1cbf58b44a9f817

          SHA512

          b3ec6841a9541e96a671a7d81378293567972541d9cdfc3137b478d9b4d3cccd4b5f536d0f059ee9c12fe9ba86bca62b795139a5215843465cb751e0ade95677

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\l2zni4u2\l2zni4u2.cmdline
          Filesize

          369B

          MD5

          fef97f673116c50a53c4a044d7b82cb7

          SHA1

          af4c6f091bcc1363d9d324d02b9d4c177e3ca20d

          SHA256

          050abe6006ff7f81cd6c364b1eb17d79d6d5d938b0286093142b9762d8b2a9ef

          SHA512

          f24ee6e595d18f9408920fc00fbda2580ac1696d679b214569daf23207fd87af7f39c01b0507cc46c6debdd132c6469bc41f5eef0bf34f9f006e23dca5834dcc

          Download Submit

        • memory/1524-26-0x00000000025F0000-0x00000000025F3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/1524-77-0x00000000001B0000-0x00000000005E9000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1524-18-0x00000000001B0000-0x00000000005E9000-memory.dmp

          Filesize

          4.2MB

          Download

        • memory/1524-62-0x00000000025F0000-0x00000000025F3000-memory.dmp

          Filesize

          12KB

          Download

        • memory/4572-81-0x00000286F6670000-0x00000286F6680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4572-90-0x00000286F6CE0000-0x00000286F6E4A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4572-28-0x00007FFA37BB0000-0x00007FFA38671000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4572-60-0x00000286F65F0000-0x00000286F65F8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4572-75-0x00000286F5F40000-0x00000286F5F48000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4572-41-0x00000286F6670000-0x00000286F6680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4572-78-0x00007FFA37BB0000-0x00007FFA38671000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4572-79-0x00000286F6670000-0x00000286F6680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4572-80-0x00000286F6670000-0x00000286F6680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4572-42-0x00000286F6670000-0x00000286F6680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4572-82-0x00000286F6B70000-0x00000286F6CDA000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4572-88-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-91-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-27-0x00000286F6580000-0x00000286F65A2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4572-92-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-89-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-93-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-94-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-96-0x00007FFA57F30000-0x00007FFA57F31000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4572-95-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-97-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4572-98-0x00000286F6CE0000-0x00000286F6E4A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4572-99-0x00000286F6CE0000-0x00000286F6E4A000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/4572-107-0x00000286F6670000-0x00000286F6680000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4572-108-0x00007FFA57D30000-0x00007FFA57F25000-memory.dmp

          Filesize

          2.0MB

          Download