Overview

overview

10

Static

static

1

Acrobat_DC...12.msi

windows7-x64

10

Acrobat_DC...12.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • submitted
    22-11-2024 03:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Acrobat_DC_x64_VIP_v10.12.msi

  • Size

    2.7MB

  • MD5

    b9632555b2c19b9182cab9c098c22d8e

  • SHA1

    100d612540c51413141f52c3888114cddb76e9a0

  • SHA256

    1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2

  • SHA512

    b90b26af09115c4ad37f5cb40135de51835ccffbd666168934062fb587a9111fa535e21c1e231aed76a5e871d63a9f71b686367defed3d584f6d76f75e5acb52

  • SSDEEP

    49152:/O05mqQDiCjwnwVv+i2MF/NtSftHFDSy4dx21N+NfSf/wXoCBBUQZcUJ8+mp3gi/:/rABiCjwnwVmGF1t6R1j4dx8Njf/w4C2

Score
10/10
bumblebee138704discoveryloaderpersistenceprivilege_escalationupx

Malware Config

Extracted

Family

bumblebee

Botnet

138704

Attributes
  • dga

    45urhm0ldgxb.live

    gx6xly9rp6vl.live

    zv46ga4ntybq.live

    7n1hfolmrnbl.live

    vivh2xlt9i6q.live

    97t3nh4kk510.live

    kbkdtwucfl40.live

    qk6a1ahb63uz.live

    whko7loy7h5z.live

    dad1zg44n0bn.live

    7xwz4hw8dts9.live

    ovekd5n3gklq.live

    amwnef8mjo4v.live

    e7ivqfhnss0x.live

    rjql4nicl6bg.live

    4mo318kk29i4.live

    zpo18lm8vg1x.live

    jc51pt290y0n.live

    rg26t2dc4hf4.live

    qw9a58vunuja.live

    ugm94zjzl5nl.live

    mckag832orba.live

    pdw0v9voxlxr.live

    m4tx2apfmoxo.live

    n2uc737ef71m.live

    hkk3112645hz.live

    ugko9g5ipa4o.live

    8wgq2x4dybx9.live

    h81fx7sj8srr.live

    a4tgoqi1cm8x.live

  • dga_seed

    7834006444057268685

  • domain_length

    12

  • num_dga_domains

    300

  • port

    443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Blocklisted process makes network request 17 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 4 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 43 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Acrobat_DC_x64_VIP_v10.12.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2692
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Windows\system32\rundll32.exe
      "rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:2052
    • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      PID:2144
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2820
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000003D8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1260

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f7709a4.rbs
    Filesize

    7KB

    MD5

    b7b7530cac0e97a0d7bb6763cf2808e8

    SHA1

    61fd9e575eb33e859948e657db2c7edf0fd5738e

    SHA256

    f37475cfaf4d4e3babaeb85151187b2bd4d0c9ff9119b5ca91cd01aef4a11a3e

    SHA512

    e3eb325055dedcbf2194c80c0eab1f345315719f01d1716f84762585cc8a70d50db2afbdd1682ed4c2d1b59177b2da6d31c1126994403252e232044f29c9a41b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    c02213aa46d28a93d790974f291d2e15

    SHA1

    ad104bc8ad93e8af90f3c7e3319d5317dd677373

    SHA256

    b32b87b793c8aa2317c383e588e182486be07e1b4176b8e66dc3f739449950a7

    SHA512

    7f4b74815d1389a9cde19564f80dcf519af39f867b2df427a462c7ccb7c0b47f83359e9e0730dea6deeb8a3e43d974cfeba9e2762d2eb6dce5d099524f725b14

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    50841579290a583767d638e367570ff7

    SHA1

    cba3bd0c54db58c9e8ddaf1595d5f7d7d3ad9ca8

    SHA256

    0a45e0e6e8f18a8d6f0708444ee61ceb929c17cff8850aeb9aa79afe4e81ede3

    SHA512

    1de95555b831f198ac6389ed493b6a97438bfcb369a1e21fea968d9c01114256f0b54124a071816b17b3607e6ee1726b86322a76075a1f896fe0379d5ee7d1b4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    d77ea2e99d2e5c7dd6dc07790ba307b8

    SHA1

    b985cf63487ed9b1371ef557eeaa45004a03f761

    SHA256

    b98a06b002f1e8c6d73ca5ff6a54096862adc843ce5d2037ef8f64e1838b4750

    SHA512

    6c42d6a1198cdbf09a10113e1f0501c85b80b3fc77a2285379b39f52935fa5995eefd6567fab60c90fefdcd1e96a72e39c0317a734ae88bdd98c0e102bf2bf3c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    454ccfed2134525b9745e79aa28c2799

    SHA1

    7a2a64a9b849fe3026099cdc2f4c9be55581eb8e

    SHA256

    5ec653267121b788cadfad19e8da55e10bdcfecb26d5ff4de694463060e37cfd

    SHA512

    169ab22ff8c99764cba35b19a4e05723251005d820da00600bb1d7835e289911c1d092630fd8a5d352c079300f547ccb9740e0af651c4b7528e9e8aa727390e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab11BE.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
    Filesize

    1.4MB

    MD5

    e4e96d377207c990295577e0ebd93f79

    SHA1

    6c6ed98b484f8a1a145ebe7d900df36fb4abc931

    SHA256

    ac6311039d5bfe719198c15577d3ee870185529f9510f5c0ddc066f1c8d8c462

    SHA512

    3db14a6f3dfa2e2768b1c25a65bc6f48c5dc763d80fee576cd7d0b21f3ecdcd25c0096b10c947f6b24999c23df75709604a4dc0fd1d894cdb1b9a556e1e6eaf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll
    Filesize

    2.3MB

    MD5

    3cf367e01d074e622e14c36fe1685c0a

    SHA1

    f9b347b843f438564e606a7d3e273659e0fb7cc7

    SHA256

    2cb0aea0f3dfe49b99f5f7a0e6f6020413c916e4a21d05d2df1cca3de3e7e91d

    SHA512

    4033d7e17e673ec67947367fed5f5992d578b61a0da0d24743d03ab0e1bf17f26bce7f80d5b0d23f87736e3d8c429fd4420bec708c295d81d125700bbf4ab3a9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar122F.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Windows\Installer\f7709a2.msi
    Filesize

    2.7MB

    MD5

    b9632555b2c19b9182cab9c098c22d8e

    SHA1

    100d612540c51413141f52c3888114cddb76e9a0

    SHA256

    1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2

    SHA512

    b90b26af09115c4ad37f5cb40135de51835ccffbd666168934062fb587a9111fa535e21c1e231aed76a5e871d63a9f71b686367defed3d584f6d76f75e5acb52

    Download Submit

  • memory/2052-91-0x0000000002340000-0x000000000255E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2052-62-0x0000000002340000-0x000000000255E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2052-63-0x0000000002340000-0x000000000255E000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2144-317-0x0000000000E40000-0x0000000001285000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2144-28-0x0000000000E40000-0x0000000001285000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/2144-818-0x0000000000E40000-0x0000000001285000-memory.dmp

    Filesize

    4.3MB

    Download