bumblebee | 9e7d2449b38c6184a40a25a940d5aad6b0b937a84b4ddeff270cac45438ae4de

Analysis

max time kernel
134s
max time network
135s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-05-2024 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quotefile.ps1
Size

1.9MB
MD5

739eaf406607fa3efddb9c6c97cdba76
SHA1

bdb0575775a3447391b9d719e6d69c0e44549fd2
SHA256

d6cc3ac995484b99ed790b6f8ceb145492794eb5d01ec4a71123b9975e9bfd20
SHA512

80ccebc7f4ff3597031899973817acdb4c1638788aa37b536fcafb6cd03b2f6113d40527b2e7a7f49d4794f021c815f8dc85ac4fd372d40cde59da6db2769384
SSDEEP

24576:AzrIw+80AssR3D6UN6hzwbSVsi5MW94d5upIAMoIKAdqQb16:AwwahXsvWK1dj6

Score

10^/10

bumblebee 1508 execution loader

Malware Config

Extracted

Family

bumblebee

rc4.plain

Extracted

Family

bumblebee

Botnet

1508

172.93.201.138:443

116.142.140.251:443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2252	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2252	powershell.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe
2252	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2252	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 292	2252	powershell.exe	74
PID 2252 wrote to memory of 292	2252	powershell.exe	74
PID 292 wrote to memory of 4108	292	csc.exe	75
PID 292 wrote to memory of 4108	292	csc.exe	75
PID 2252 wrote to memory of 1992	2252	powershell.exe	76
PID 2252 wrote to memory of 1992	2252	powershell.exe	76
PID 1992 wrote to memory of 196	1992	csc.exe	77
PID 1992 wrote to memory of 196	1992	csc.exe	77

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\quotefile.ps1
1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmrkcugh\fmrkcugh.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8136.tmp" "c:\Users\Admin\AppData\Local\Temp\fmrkcugh\CSC10529390D3064404A097AC6D62FF2013.TMP"
    3⤵
    PID:4108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\414mupl3\414mupl3.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F6C.tmp" "c:\Users\Admin\AppData\Local\Temp\414mupl3\CSCA5C3D7EBD6414EAFA9A1A1ED90BBE623.TMP"
    3⤵
    PID:196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\414mupl3\414mupl3.dll

Filesize
3KB

MD5
0b4a29bc50762c1699044b018be4c84c

SHA1
1ca4f2b538c98a50b7ad853b2959867e7bc7969a

SHA256
b3d04017d424cb28547790580208e9c1eb50d02a8a83c3a2e5830f4244a96a25

SHA512
6575ac4de8dc10af52febe5f9009243028befab35db7979e1c7e6091eb1392de594151c6ca2b84d00ce789d4e9a3e9eac52711c7b7f0f9bbc4c4e24b8bf549b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8136.tmp

Filesize
1KB

MD5
d1dffc43961d5b327db0f92bcc2ee8cd

SHA1
40f1d536a2a4669ea7ddd56f71eb55806a39c3f0

SHA256
562827f41917219df49cd3b0c61ae19e2595ceec65ca812fcf0ba99f7971f5b3

SHA512
46c6ed3d6c098bf3cc5a4afe07035472310589a1bf4e5997433092726807f17e6e1391b78d48de0a5ba8463bd1d4392197cd9ab68c867ddf71033332a9d49cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9F6C.tmp

Filesize
1KB

MD5
efe96fc5629df9fbb27d03d83141b921

SHA1
b5bec7d3f33679b79a2b2600ad23a941b26dac21

SHA256
59c76a40edaac0dbbd92382979a9e27f6512cc7706ad7d608d497aa31d645e81

SHA512
951420dc218c1a98d5845ed8ef7dfa8604116b59e772a721efb821615ad457f28ded812d24982e7e7a128b6e56123b3d35f9f66ecbf660ba919e55cbab31d733

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gozslxjs.no3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmrkcugh\fmrkcugh.dll

Filesize
3KB

MD5
b0a87537ace4d41178276dffc8c5ebf1

SHA1
e7badc2ba89db9bb9498bc5fd87977dd501dce83

SHA256
6e0eb67cac1c95fb2ab8084e8e6a55a6a1e874af0ddd81441baa71a636d440b0

SHA512
9d6f66546e57dea59cdcccf9f2e800a8fdba08d82a4671d3f155d8f0b4b4f56fe0f95a94c1b64f73c57f02939518d94a77421d4c21f76de1810ce5d2dbf4f413

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\414mupl3\414mupl3.0.cs

Filesize
591B

MD5
9b5ca5987d03f2fda2d89b3225bb527b

SHA1
2fca70ccb8428eda41cb29785458155942e24da3

SHA256
e47533d0cbe442ac6b5bd50e507c9dae2c9f19ee4c0ffbc2273375f0721efaa8

SHA512
8e2c4ae7b952998cb6efaeaee6f274efb879f3c1bf657d83391ddf7ea291b4927204e5c2d67877b820a35a67d39dfe857b9f4725085062cae75bc871d657a7bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\414mupl3\414mupl3.cmdline

Filesize
369B

MD5
1b6c3a4b1d295a92da23222f7bd6339b

SHA1
b1ab17b44f22939da16ddb0d4e79e84564bd671a

SHA256
1cc4b84d36e18c9a25557e05ebd390136a785eeccf8e3e98dd65a9e6e7af1922

SHA512
06e19b471c2d7cb05618ded58d8eaa7b57f699d8c24d46ccc504293efb4fb0b38c547d7cfd745135fdefad5a8921161770ede2b66f943dec9dd36a6bc5c5c60d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\414mupl3\CSCA5C3D7EBD6414EAFA9A1A1ED90BBE623.TMP

Filesize
652B

MD5
f2aa9ece2db5f9924764f97be53e9f16

SHA1
e778d8cc24c4f70984bcee348dbdf402c70a8285

SHA256
c756d3d5ee142d52454bca757d11fa206d423eca0cf2d2b96187c896e47668e4

SHA512
0f3eecf37ce118da170bdc4443064ae160281525962bf2c08ea0fbd5bd9e697489f4bdc43b4b0e351b1e7cad7ec3fc12552d83fac37d3db0a2bd99d136d0d5e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fmrkcugh\CSC10529390D3064404A097AC6D62FF2013.TMP

Filesize
652B

MD5
03ad35e36ef9b1f77db5a0d28692354c

SHA1
fda7f37e688f9b1efcfb78022b53df1c2c77edc0

SHA256
389145719f3535766a88fd2137d4607c786bf3d3ac6dea6888d5ca90d10bcdf1

SHA512
e25061183ebc2a8b7df3880a0454a8c1763d40d4c780fe3a42569444e2097f8045dea65a99e686e48e0dfb9d27b05eb712ee514f17094b2766c3ed60a83ff632

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fmrkcugh\fmrkcugh.0.cs

Filesize
203B

MD5
b611be9282deb44eed731f72bcbb2b82

SHA1
cc1d606d853bbabd5fef87255356a0d54381c289

SHA256
ee09fdd61a05266e4e09f418fc6a452f1205d9f29afba6b8a1579333dc3ff3b6

SHA512
63b5ad7b65fd4866fb8841e4eee567e4f1e7888bb9fda8dd5c8dca3461d084d3f80ce920ae321609e4ff32ba13a55b7320282ce7201bb74a793d4700240360a4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\fmrkcugh\fmrkcugh.cmdline

Filesize
369B

MD5
4f6ef8c75d31f8969e8c70c2b4f633bf

SHA1
5bd9be2251772c6fac6e31d1fad233a74f5511f2

SHA256
2dfa5fc921b7ad89cd1d106f75ac6e16123ad36a3c6860c33930124947d92746

SHA512
39b2102a34357766341d8d6a8126138f4b2aedaccfdddeeeaae26e748d9471d1b2ee30131dde3a71eb69199a7385f8e1f0dfefbf1adea3fbb044da71e30bf68a

Download Submit
memory/2252-5-0x00000192CA3D0000-0x00000192CA3F2000-memory.dmp

Filesize
136KB

Download
memory/2252-37-0x00000192CA420000-0x00000192CA428000-memory.dmp

Filesize
32KB

Download
memory/2252-0-0x00007FFFCD8E3000-0x00007FFFCD8E4000-memory.dmp

Filesize
4KB

Download
memory/2252-10-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-9-0x00000192E2A50000-0x00000192E2AC6000-memory.dmp

Filesize
472KB

Download
memory/2252-8-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-43-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-56-0x00000192CA150000-0x00000192CA158000-memory.dmp

Filesize
32KB

Download
memory/2252-61-0x00000192F2EB0000-0x00000192F2FC6000-memory.dmp

Filesize
1.1MB

Download
memory/2252-67-0x00000192F3000000-0x00000192F3115000-memory.dmp

Filesize
1.1MB

Download
memory/2252-69-0x00007FFFCD8E3000-0x00007FFFCD8E4000-memory.dmp

Filesize
4KB

Download
memory/2252-70-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

Filesize
9.9MB

Download
memory/2252-71-0x00007FFFCD8E0000-0x00007FFFCE2CC000-memory.dmp

Filesize
9.9MB

Download