Overview

overview

10

Static

static

1

6309e1.msi

windows7-x64

10

6309e1.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2023 14:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6309e1.msi

  • Size

    4.1MB

  • MD5

    9159f9fb42365dc0a492ece7ec9aa546

  • SHA1

    8b8426ade01c916bb1f08f69dee611d4cd2379b5

  • SHA256

    33a57eed92fa4acf1be788ce387d0f6f3804aab316d04bcfe8b43cccaf08bdbf

  • SHA512

    d40dcb370495edfe29c4eb488f7ca628a284a69de1d0aa8485d1c92659ab4a80839ce773f1f8b938f2333587019cb42831dd6ea2e349ae4bf7d096a09da657c5

  • SSDEEP

    49152:2DxTgxjSwdT55PZUdV0Du9WsVFPLYLeyCtw50kqKKAf5Q8+5eNBA:bxjSwdqswLYKy0wpqKKAf5Q

Score
10/10
bumblebeetest101234loader

Malware Config

Extracted

Family

bumblebee

Botnet

test101234

Attributes
  • dga

    n64c2akw.life

    zefawfb0.life

    dph3pby8.life

    hx0hysyg.life

    1qa3k743.life

    luw8ubf2.life

    rbvsf6io.life

    4huoqrsp.life

    8qwcvseh.life

    37zi55wc.life

    i9f44mju.life

    aqnx9c9h.life

    3nmeg5wa.life

    r5ue5rok.life

    et53yjoc.life

    tvgco82h.life

    0xtmu3tz.life

    6xhpschv.life

    6o26tws0.life

    0oz7923s.life

    54y2q50j.life

    9hh7hq5r.life

    r0ca080m.life

    43vtghfz.life

    qal55els.life

    p5e68m36.life

    x698iah6.life

    kqn0zkig.life

    wq6w8jkq.life

    i6n08gx7.life

  • dga_seed

    anjd78ka

  • domain_length

    8

  • num_dga_domains

    100

  • port

    443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Loads dropped DLL 5 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Drops file in Windows directory 8 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 57 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6309e1.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4312
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4636
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2204
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F94DC99D4D39F28CED2429BC42F79E95
      2⤵
      • Loads dropped DLL
      PID:4640
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 8E0232315172FB1357092ABB2C796391
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      PID:4892
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Installer\MSI8BE0.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI8BE0.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI92D6.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI92D6.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI944E.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI944E.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI944E.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI94DB.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI94DB.tmp
    Filesize

    721KB

    MD5

    5a1f2196056c0a06b79a77ae981c7761

    SHA1

    a880ae54395658f129e24732800e207ecd0b5603

    SHA256

    52f41817669af7ac55b1516894ee705245c3148f2997fa0e6617e9cc6353e41e

    SHA512

    9afc180ebc10c0ee0d7306f4b7085608a4e69321044d474691587bf7e63f945888781a9fc5e69568d351ac690b0335214bd04bdf5c75fd8a3bd1ec4be5d3475a

    Download Submit

  • C:\Windows\Installer\MSI9644.tmp
    Filesize

    2.1MB

    MD5

    b6e50a33a2f3caa5346db94ab198ee99

    SHA1

    3734be87824bdce42c6f83115fde40a82bb42615

    SHA256

    353fda6e116118809b49dd3001ee532ddfacacaa40a43b951c9f1dd69c8e7491

    SHA512

    e849b0bf1b49030bc21584384908fd44a6400a1db8ad75dbc9241d53765dca4b0e9407838ee20945e038a23e70e02b74903ed1109e0c0eda5d2d2f044a9d6ad6

    Download Submit

  • C:\Windows\Installer\MSI9644.tmp
    Filesize

    2.1MB

    MD5

    b6e50a33a2f3caa5346db94ab198ee99

    SHA1

    3734be87824bdce42c6f83115fde40a82bb42615

    SHA256

    353fda6e116118809b49dd3001ee532ddfacacaa40a43b951c9f1dd69c8e7491

    SHA512

    e849b0bf1b49030bc21584384908fd44a6400a1db8ad75dbc9241d53765dca4b0e9407838ee20945e038a23e70e02b74903ed1109e0c0eda5d2d2f044a9d6ad6

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    23.0MB

    MD5

    7994c688249f87a2310ed41d91d4cb24

    SHA1

    a1a53d63cef2033541082c28ebc26db99aae7fd2

    SHA256

    1bede9161568bc5bcb39e5810fecc93f875eb222bf284068384638b5fbafd906

    SHA512

    6d7c74f99f8f31f76d37066e22bf63e5caee1843efe0deced1b89a78f99003a14af69f7bf721b9e3d46a1bb13d49c4b6ccda9aaab0c68a8db967b3f1aeabaf8f

    Download Submit

  • \??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{23c66889-5659-4ed0-8c44-7876a34b9946}_OnDiskSnapshotProp
    Filesize

    5KB

    MD5

    84069d52dcc9df8f7222cb40e05699c6

    SHA1

    7b933e04a51051dbd3629c003e4f0cb99a7b72c5

    SHA256

    4602798aa105b88851de1807a906e8a63683da527d277914871854df3262a7ba

    SHA512

    37d980ac44adf6ff428c829dd8e1981b46cc2ff36a076cc22a0c464397682fbeb939afa91706c6e2677d2ecc544c7bd6704004dd3f26de5cedade8fdae637938

    Download Submit

  • memory/4892-33-0x000002E204590000-0x000002E2047A8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4892-35-0x000002E204590000-0x000002E2047A8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4892-36-0x00007FFC7D5B0000-0x00007FFC7D7A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4892-37-0x000002E204590000-0x000002E2047A8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4892-34-0x00007FFC7D5B0000-0x00007FFC7D7A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4892-38-0x000002E204590000-0x000002E2047A8000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4892-39-0x00007FFC7D5B0000-0x00007FFC7D7A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4892-32-0x00007FFC7D5B0000-0x00007FFC7D7A5000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4892-31-0x000002E204280000-0x000002E204367000-memory.dmp

    Filesize

    924KB

    Download

  • memory/4892-42-0x000002E204280000-0x000002E204367000-memory.dmp

    Filesize

    924KB

    Download

  • memory/4892-43-0x00007FFC7D5B0000-0x00007FFC7D7A5000-memory.dmp

    Filesize

    2.0MB

    Download