bumblebee | 9e7d2449b38c6184a40a25a940d5aad6b0b937a84b4ddeff270cac45438ae4de

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quote.lnk
Size

1KB
MD5

4166dc23c9ffb1fe465288801da97ca9
SHA1

0e7319378d7cb33f123cd804630c7644384e8931
SHA256

940182dd2eaf42327457d249f781274b07e7978b62dca0ae4077b438a8e13937
SHA512

60d65cd412938bb55cd268ac81ba05e90790a12755b1d2bcdc351339dac88339b6851e1272716cb3dc3652900226b098b2c3b9b137bcc820510b65f36cb03aff

Score

10^/10

bumblebee 1508 execution loader

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

172.93.201.138:443

116.142.140.251:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4780	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4780	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe
4780	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 4780	1844	cmd.exe	76
PID 1844 wrote to memory of 4780	1844	cmd.exe	76
PID 4780 wrote to memory of 3160	4780	powershell.exe	77
PID 4780 wrote to memory of 3160	4780	powershell.exe	77
PID 3160 wrote to memory of 3684	3160	csc.exe	78
PID 3160 wrote to memory of 3684	3160	csc.exe	78
PID 4780 wrote to memory of 3292	4780	powershell.exe	79
PID 4780 wrote to memory of 3292	4780	powershell.exe	79
PID 3292 wrote to memory of 4300	3292	csc.exe	80
PID 3292 wrote to memory of 4300	3292	csc.exe	80

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Quote.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -file quotefile.ps1
  2⤵
  - Suspicious use of NtCreateThreadExHideFromDebugger
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4780
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbmu2z0n\hbmu2z0n.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6968.tmp" "c:\Users\Admin\AppData\Local\Temp\hbmu2z0n\CSCD28339AAE1C64B7C881876EEAAB3478.TMP"
      4⤵
      PID:3684
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zpotwdrd\zpotwdrd.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8750.tmp" "c:\Users\Admin\AppData\Local\Temp\zpotwdrd\CSCAC4527B537C443FB9ADBA74EC78C7E44.TMP"
      4⤵
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6968.tmp

Filesize
1KB

MD5
9f01d1c4793bf5d0c791eab7605bd728

SHA1
fdd4bb6c1688fd71973d2bfac50497c1c54f4637

SHA256
60969b11ccfe0fbc134081b819cc6b2e3d34acf4d124b3cc0fc46fe8191d4311

SHA512
22a17fad3358b7f76d9dd60b8e5ff12f7b20ac9217bc0c3b9c450ead7b952a3692d64026741e19b8a4537a5acc336c2b6d4afefe97df45c1b3faa92faf2f7e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8750.tmp

Filesize
1KB

MD5
4e537f2a326de462a6207887a4b0bf48

SHA1
3243de42f27ef9d7b5e9f05a59aaa4a3c4184adb

SHA256
b2ff47a1023d4b56adcf4726ca4b2d93d2562259fe28e204864df119c0fa110a

SHA512
8beada10ec9e0c1d45720e30e27ab8719e3d5744b1c80424dd588394c48660ecc1e2501af4c8710c4aaa47fb433cec81ca7f4399dfe6a8d02e44bcc45c3e8f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_054cqfjj.vuh.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbmu2z0n\hbmu2z0n.dll

Filesize
3KB

MD5
0111130f6d689ad045841bebeb8c183c

SHA1
0cea4f281fb7fceb9865ae1eae7cae3545c17443

SHA256
bfada6b2a04d4ff75a1feae4907253cf6040cb1afdf044969ce7d3fd18240534

SHA512
b9be51d6156747c3e297c1e93fa1aa16138263503605e43f17b04ef9c28a5ed89c56720c855ea0d746163f2fe9ff15a0aaa064bda8d2e3d8f07ca0b77adcb925

Download Submit
C:\Users\Admin\AppData\Local\Temp\zpotwdrd\zpotwdrd.dll

Filesize
3KB

MD5
a936b30583beffdda06c6aac0024cf0f

SHA1
91206152d74a65a7326d0138e80a269db089f596

SHA256
15360fcaa844320fd78ab509e0eefff42ecd1ac5c6a87168866c2c3b0fd9b327

SHA512
23a4f91ce946a38bcd64a76c871cfda6eb7b208dac4a7ffe5b5341f6675dc352bed4bb4501ee9f71057b1dac6356a5d1d52455c2935d796f71fee0a4d28b818e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbmu2z0n\CSCD28339AAE1C64B7C881876EEAAB3478.TMP

Filesize
652B

MD5
dd6699c9e046dbbc9f46324d7a6d80ef

SHA1
3b901d57d89b5527d8bd87717d5e78e528b7f0c1

SHA256
2d91b18235ff230a3bf0ac90cc291ece2c4a846492520acf01fcbd1f3dbf1f8d

SHA512
868755b2147c50af0b1b12ace7077e3e9b7badb9c209e4e869a3383dc4bee372ce9f0a85a16b6fd3688c4ebfc81c0fd324ff3e4b5a490c719ec740b19f90eecd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbmu2z0n\hbmu2z0n.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hbmu2z0n\hbmu2z0n.cmdline

Filesize
369B

MD5
23954d2a8eed101c01268622d7fd48e9

SHA1
1d38b9f121be64a3b7e18ea78b280ab2eb79f977

SHA256
eb552427aa7ae35d7e58db3f5132319c4f373cf86476abc96e23ef63a64cef00

SHA512
60d42cde6ae7a3c5d665655f6b8e759e3cd516ef529c37d54b07e9d25611f8890d81754fe378cdad91cfab9ef3053e399954d9c2ad9e796216a51ce73fd5c517

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zpotwdrd\CSCAC4527B537C443FB9ADBA74EC78C7E44.TMP

Filesize
652B

MD5
be28c4d6b38f01e9c628e06c924beb8b

SHA1
4057b23a66702d0f1ab313e24cf94a79d3a3747f

SHA256
4a738fc3f4ac9ee3210cf0ad3c14ae0762bdadb1752131a72be46786222f7f76

SHA512
03c27f6163cfdd221cc068d2611f49b5000bc1a9b88e421d91c357532a0d70d744b93fb55c631155fddb75bde2d3675800357fb9890335851d7e335ec36b9348

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zpotwdrd\zpotwdrd.0.cs

Filesize
591B

MD5
9b5ca5987d03f2fda2d89b3225bb527b

SHA1
2fca70ccb8428eda41cb29785458155942e24da3

SHA256
e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

SHA512
8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zpotwdrd\zpotwdrd.cmdline

Filesize
369B

MD5
308a1cfb5765aabcf6eb96dbef01e734

SHA1
ac2f50f949335115f72f4f341327f8e5cb6b539b

SHA256
b819d14c7437501074cec2f8eb6fc7259d287d58f8570780a81be06b42249fba

SHA512
d555e4664bb4134ebaca17fd5cd4aa38eaf84420e87e6aba324ce773379e2b2169cc47f0b34ecdaa1b513bbe769b3ea7cfccf0e0d3320f13a92d902e85a51d93

Download Submit
memory/4780-46-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4780-2-0x00007FF831843000-0x00007FF831844000-memory.dmp

Filesize
4KB

Download
memory/4780-40-0x000001C4D5CB0000-0x000001C4D5CB8000-memory.dmp

Filesize
32KB

Download
memory/4780-13-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4780-12-0x000001C4D6960000-0x000001C4D69D6000-memory.dmp

Filesize
472KB

Download
memory/4780-11-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4780-8-0x000001C4D5C80000-0x000001C4D5CA2000-memory.dmp

Filesize
136KB

Download
memory/4780-59-0x000001C4BD8C0000-0x000001C4BD8C8000-memory.dmp

Filesize
32KB

Download
memory/4780-64-0x000001C4E6BB0000-0x000001C4E6CC6000-memory.dmp

Filesize
1.1MB

Download
memory/4780-70-0x000001C4E6CD0000-0x000001C4E6DE5000-memory.dmp

Filesize
1.1MB

Download
memory/4780-72-0x00007FF831843000-0x00007FF831844000-memory.dmp

Filesize
4KB

Download
memory/4780-73-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download
memory/4780-74-0x00007FF831840000-0x00007FF83222C000-memory.dmp

Filesize
9.9MB

Download