bumblebee | 7a33dd7271575d93a84138ff4d6ebe4eb068ee83555cade505eb6c84d4a5f302

Resubmissions

08-02-2024 21:52

240208-1q8e5ada57 10

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2024 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ps1.ps1
Size

71B
MD5

e6fb5ed0cbd3e324d774c7c8ff2c6caa
SHA1

fe7769b3632dec7700d4a81d44609095d0e56a98
SHA256

1e65ebca25cee22de96f313bf810a7f3324f3e811bbc1f0636aa9fdbc3801138
SHA512

f511c21615fd7ce18c5d1108d6c42f7e645ccb0db104721ec323a5e418eb8f7ef80c3a11c1d5e671269642f214daca6b720d64d54109d51549f7e0c42f2a827c

Score

10^/10

bumblebee dcc3 loader

Malware Config

Extracted

Family

bumblebee

Botnet

dcc3

Attributes

dga
vg7uaic3.life

9rzeyw6d.life

gaiuzmjh.life

fjtwh7ez.life

b7v0h14g.life

25utqefr.life

racgyvid.life

hocj7ez7.life

0yznun55.life

fcl2tw80.life

g4ggjukx.life

u3zvhegy.life

n6s0rru2.life

myskwtvz.life

es4xrlbf.life

rm0vgyz1.life

mkt3shgr.life

uj1lqdzb.life

wdxn08y6.life

xwcetuq6.life

7v3pqzur.life

z4u0pw7m.life

akzuglxg.life

0hb72lv4.life

qo725zwl.life

h5hyssny.life

dwdgv8ey.life

r1vp426o.life

s68s3bdd.life

r4x6iy6x.life

accq42df.life

z15hvoz2.life

idqrdhpg.life

sx3i8jmk.life

g7on0c47.life

d0paetq1.life

jtyk5gdq.life

wiw2pzow.life

f94vimcc.life

ztlkhvae.life

2m420uuq.life

18nf94hr.life

mc255438.life

4qrr6ij0.life

ql5hk4dj.life

b0wknuvv.life

c8o1xb3q.life

x1268u29.life

22km13qy.life

fjtg4l8d.life

12jawwzi.life

bnevdx61.life

fmeojv6b.life

frm6u0r1.life

acuaw2q0.life

i8kyugpr.life

zo2epezl.life

y7px5b06.life

x3h1ahco.life

y3v1d1vu.life

tmzcoebw.life

t5me2n7i.life

u45wcqn7.life

thde5hd5.life

56snpngr.life

orc3zq3c.life

ecdb0x3j.life

1330r5tl.life

ymxcwnjs.life

4eo14u97.life

dza0z859.life

gvwgb5nw.life

0be6z82a.life

qz0pzkv1.life

ig4xohtj.life

rtnzmwv0.life

x9e2x6a2.life

wvxatase.life

5zime47c.life

o0r9qsit.life

x2h84q1y.life

5s9j4ij0.life

rqmbst2l.life

widcqm70.life

kkrmo7k8.life

lni114wn.life

w9inw8u1.life

qpxq51gq.life

2r5pct64.life

2x5sidtj.life

61oankru.life

n1iq0gkh.life

g27j5iqe.life

y0a5tf81.life

pmrzi1bx.life

7nx3ips8.life

5a0mrc70.life

5cai9tan.life

4bekj09u.life

2jrlu58d.life
dga_seed
Ķ�C#��+
domain_length
8
num_dga_domains
100
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

27 2972 rundll32.exe
51 2972 rundll32.exe
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

Processes:

rundll32.exe

pid process

2972 rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

2680 powershell.exe
2680 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2680 powershell.exe

flow	pid	process
27	2972	rundll32.exe
51	2972	rundll32.exe

pid	process
2972	rundll32.exe

pid	process
2680	powershell.exe
2680	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 2680 wrote to memory of 2972	2680	powershell.exe	rundll32.exe
PID 2680 wrote to memory of 2972	2680	powershell.exe	rundll32.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ps1.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" w_ver.dll DllRegisterServer
2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:2972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0t2iskg.jaw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2680-6-0x000001EC7AAA0000-0x000001EC7AAC2000-memory.dmp

Filesize
136KB

Download
memory/2680-10-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

Filesize
10.8MB

Download
memory/2680-11-0x000001EC7A920000-0x000001EC7A930000-memory.dmp

Filesize
64KB

Download
memory/2680-12-0x000001EC7A920000-0x000001EC7A930000-memory.dmp

Filesize
64KB

Download
memory/2680-13-0x000001EC7A920000-0x000001EC7A930000-memory.dmp

Filesize
64KB

Download
memory/2680-16-0x00007FFCD2A50000-0x00007FFCD3511000-memory.dmp

Filesize
10.8MB

Download
memory/2972-17-0x0000022844700000-0x00000228447E7000-memory.dmp

Filesize
924KB

Download
memory/2972-18-0x00007FFCF0B90000-0x00007FFCF0D85000-memory.dmp

Filesize
2.0MB

Download
memory/2972-19-0x00007FFCF0B90000-0x00007FFCF0D85000-memory.dmp

Filesize
2.0MB

Download
memory/2972-20-0x0000022844A10000-0x0000022844C28000-memory.dmp

Filesize
2.1MB

Download
memory/2972-21-0x00007FFCF0B90000-0x00007FFCF0D85000-memory.dmp

Filesize
2.0MB

Download
memory/2972-22-0x0000022844A10000-0x0000022844C28000-memory.dmp

Filesize
2.1MB

Download
memory/2972-23-0x0000022844700000-0x00000228447E7000-memory.dmp

Filesize
924KB

Download
memory/2972-24-0x00007FFCF0B90000-0x00007FFCF0D85000-memory.dmp

Filesize
2.0MB

Download