bumblebee | b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
submitted
05-12-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
Size

4.7MB
MD5

e63911bf851f892bab6d3933349a987e
SHA1

c3f5bd1aca61bd086f1aea3e4b86419a836888ce
SHA256

b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
SHA512

f00874b37580152bbb563b29763212de0452e8117f54e4199150cb8cebf3f4d8d1c31ed28d896b7b0cbb63c17e8847019ed76b53f7c0ae07021527705e1af17c
SSDEEP

49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg

Score

10^/10

bumblebee 1 discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

Attributes

dga
45urhm0ldgxb.live

gx6xly9rp6vl.live

zv46ga4ntybq.live

7n1hfolmrnbl.live

vivh2xlt9i6q.live

97t3nh4kk510.live

kbkdtwucfl40.live

qk6a1ahb63uz.live

whko7loy7h5z.live

dad1zg44n0bn.live

7xwz4hw8dts9.live

ovekd5n3gklq.live

amwnef8mjo4v.live

e7ivqfhnss0x.live

rjql4nicl6bg.live

4mo318kk29i4.live

zpo18lm8vg1x.live

jc51pt290y0n.live

rg26t2dc4hf4.live

qw9a58vunuja.live

ugm94zjzl5nl.live

mckag832orba.live

pdw0v9voxlxr.live

m4tx2apfmoxo.live

n2uc737ef71m.live

hkk3112645hz.live

ugko9g5ipa4o.live

8wgq2x4dybx9.live

h81fx7sj8srr.live

a4tgoqi1cm8x.live

kse2q7uxyrwp.live

mfwnbxvt9qme.live

x99ahfftf28l.live

9n6bmko47gxe.live

6l96lk6edlyf.live

st5j8zqdrppf.live

dxjeucbj4p0j.live

bnpuxnov7lhr.live

a8bxv8lqe1m0.live

yczi2ujcyyro.live

sbeo0cztn1kh.live

o337yf9fh4bf.live

zoki7ma89z7b.live

x2r9bglz76r7.live

wi1w9yu1vush.live

mtqdvzkai700.live

r6o2sj70m85m.live

ut6qohwra5lm.live

9yi98fh7usy1.live

kkpjp9jzbzba.live

whvffwd7zphw.live

uztmazsno4y5.live

i3iubj73c21c.live

b72o02l2ilc6.live

wom4o4cutfx6.live

fek3qya20lid.live

nhkvd56j82xw.live

midyxlu6b22f.live

vp9c9rziba2a.live

rkffupb7i1gv.live

8u7r35mu2e4g.live

3c2xflq8mztc.live

wswis3sptby1.live

9rib57u1zu3c.live

sv3pldc5gkdl.live

bmdcn5celetq.live

y3mpywhmem7t.live

avwtkc23ffmw.live

nvgirtryox1z.live

3rlfa7w0bz37.live

vy9u47oyzltu.live

ysdwk0l8xass.live

tbt0aqol3sp2.live

xqqoo0a8zk0w.live

nevkq7lku38l.live

5u42wjin0vfz.live

y626kbnryktm.live

5k9b8nmc0x8r.live

i18t3jshekua.live

4hk1bcnxbse0.live

si00bu9fv5he.live

g3in90m5caz2.live

f6s4n6w41oov.live

sgl7og2qswmm.live

vrrbk7ykz8h1.live

zl7bmlfq8n9w.live

qydstwmw2imy.live

y9s73mnvurxr.live

7zggkh833im1.live

cvnsiogvl3kt.live

enf3gev34gis.live

doj6z5i9g803.live

zsm954jr5ek4.live

6z96z4mk84dc.live

e0et68offggh.live

au97foecnlrm.live

3ibjpmls5x46.live

mmmpa1byo300.live

3e60zvd64d8y.live

zt3nnzr70hn0.live
dga_seed
7834006444057268685
domain_length
12
num_dga_domains
300
port
443

rc4.plain

Signatures

BumbleBee
BumbleBee is a loader malware written in C++.
loader bumblebee
Bumblebee family
bumblebee

Blocklisted process makes network request 15 IoCs

flow	pid	Process
7	2992	MsiExec.exe
9	2992	MsiExec.exe
11	2992	MsiExec.exe
13	2992	MsiExec.exe
15	2992	MsiExec.exe
18	2992	MsiExec.exe
22	2992	MsiExec.exe
26	2992	MsiExec.exe
30	2992	MsiExec.exe
34	2992	MsiExec.exe
38	2992	MsiExec.exe
42	2992	MsiExec.exe
46	2992	MsiExec.exe
50	2992	MsiExec.exe
54	2992	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76e2b1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e2b1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE30F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE37D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE3CC.tmp	msiexec.exe
File created	C:\Windows\Installer\f76e2b2.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE515.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2056	AnyConnect Installer.exe

Loads dropped DLL 14 IoCs

pid	Process
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2708	MsiExec.exe
2488	MsiExec.exe
2488	MsiExec.exe
2488	MsiExec.exe
2992	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2888	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2464	msiexec.exe
2464	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2888	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2888	msiexec.exe
Token: SeRestorePrivilege	2464	msiexec.exe
Token: SeTakeOwnershipPrivilege	2464	msiexec.exe
Token: SeSecurityPrivilege	2464	msiexec.exe
Token: SeCreateTokenPrivilege	2888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2888	msiexec.exe
Token: SeLockMemoryPrivilege	2888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2888	msiexec.exe
Token: SeMachineAccountPrivilege	2888	msiexec.exe
Token: SeTcbPrivilege	2888	msiexec.exe
Token: SeSecurityPrivilege	2888	msiexec.exe
Token: SeTakeOwnershipPrivilege	2888	msiexec.exe
Token: SeLoadDriverPrivilege	2888	msiexec.exe
Token: SeSystemProfilePrivilege	2888	msiexec.exe
Token: SeSystemtimePrivilege	2888	msiexec.exe
Token: SeProfSingleProcessPrivilege	2888	msiexec.exe
Token: SeIncBasePriorityPrivilege	2888	msiexec.exe
Token: SeCreatePagefilePrivilege	2888	msiexec.exe
Token: SeCreatePermanentPrivilege	2888	msiexec.exe
Token: SeBackupPrivilege	2888	msiexec.exe
Token: SeRestorePrivilege	2888	msiexec.exe
Token: SeShutdownPrivilege	2888	msiexec.exe
Token: SeDebugPrivilege	2888	msiexec.exe
Token: SeAuditPrivilege	2888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2888	msiexec.exe
Token: SeChangeNotifyPrivilege	2888	msiexec.exe
Token: SeRemoteShutdownPrivilege	2888	msiexec.exe
Token: SeUndockPrivilege	2888	msiexec.exe
Token: SeSyncAgentPrivilege	2888	msiexec.exe
Token: SeEnableDelegationPrivilege	2888	msiexec.exe
Token: SeManageVolumePrivilege	2888	msiexec.exe
Token: SeImpersonatePrivilege	2888	msiexec.exe
Token: SeCreateGlobalPrivilege	2888	msiexec.exe
Token: SeCreateTokenPrivilege	2888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2888	msiexec.exe
Token: SeLockMemoryPrivilege	2888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2888	msiexec.exe
Token: SeMachineAccountPrivilege	2888	msiexec.exe
Token: SeTcbPrivilege	2888	msiexec.exe
Token: SeSecurityPrivilege	2888	msiexec.exe
Token: SeTakeOwnershipPrivilege	2888	msiexec.exe
Token: SeLoadDriverPrivilege	2888	msiexec.exe
Token: SeSystemProfilePrivilege	2888	msiexec.exe
Token: SeSystemtimePrivilege	2888	msiexec.exe
Token: SeProfSingleProcessPrivilege	2888	msiexec.exe
Token: SeIncBasePriorityPrivilege	2888	msiexec.exe
Token: SeCreatePagefilePrivilege	2888	msiexec.exe
Token: SeCreatePermanentPrivilege	2888	msiexec.exe
Token: SeBackupPrivilege	2888	msiexec.exe
Token: SeRestorePrivilege	2888	msiexec.exe
Token: SeShutdownPrivilege	2888	msiexec.exe
Token: SeDebugPrivilege	2888	msiexec.exe
Token: SeAuditPrivilege	2888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2888	msiexec.exe
Token: SeChangeNotifyPrivilege	2888	msiexec.exe
Token: SeRemoteShutdownPrivilege	2888	msiexec.exe
Token: SeUndockPrivilege	2888	msiexec.exe
Token: SeSyncAgentPrivilege	2888	msiexec.exe
Token: SeEnableDelegationPrivilege	2888	msiexec.exe
Token: SeManageVolumePrivilege	2888	msiexec.exe
Token: SeImpersonatePrivilege	2888	msiexec.exe
Token: SeCreateGlobalPrivilege	2888	msiexec.exe
Token: SeCreateTokenPrivilege	2888	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2888	msiexec.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2464 wrote to memory of 2708	2464	msiexec.exe	31
PID 2708 wrote to memory of 2056	2708	MsiExec.exe	32
PID 2708 wrote to memory of 2056	2708	MsiExec.exe	32
PID 2708 wrote to memory of 2056	2708	MsiExec.exe	32
PID 2708 wrote to memory of 2056	2708	MsiExec.exe	32
PID 2056 wrote to memory of 2136	2056	AnyConnect Installer.exe	33
PID 2056 wrote to memory of 2136	2056	AnyConnect Installer.exe	33
PID 2056 wrote to memory of 2136	2056	AnyConnect Installer.exe	33
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2488	2464	msiexec.exe	38
PID 2464 wrote to memory of 2992	2464	msiexec.exe	39
PID 2464 wrote to memory of 2992	2464	msiexec.exe	39
PID 2464 wrote to memory of 2992	2464	msiexec.exe	39
PID 2464 wrote to memory of 2992	2464	msiexec.exe	39
PID 2464 wrote to memory of 2992	2464	msiexec.exe	39

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2888

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C1B6E52A724F456A5A8D7AA9154AD89 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe
    "C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2056 -s 628
      4⤵
      PID:2136
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33DFC9A4155955347D1D32F181890FB5
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2488
- C:\Windows\system32\MsiExec.exe
  "C:\Windows\system32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  PID:2992

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2868

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "0000000000000068"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI6326.tmp

Filesize
816KB

MD5
aa88d8f40a286b6d40de0f3abc836cfa

SHA1
c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

SHA256
8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

SHA512
6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6471.tmp

Filesize
877KB

MD5
6a639b68fe7f4e67b7510af13403772b

SHA1
255ba543d6fdd8f037823ff321ec00abe3575c54

SHA256
7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

SHA512
43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

Download Submit
C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll

Filesize
2.1MB

MD5
29e117e9f0ce89cb29a3b14f39a2624b

SHA1
1c1060ef434826f6785ea248b647da569e83cd6a

SHA256
3844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6

SHA512
757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45

Download Submit
\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe

Filesize
1.0MB

MD5
5e9965bc72df9f663ca049d40b1fa3af

SHA1
3fb8de364e3e67f093c1a6c73dc0cac1fd9b2202

SHA256
ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091

SHA512
418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339

Download Submit
memory/2056-42-0x00000000008D0000-0x00000000009D2000-memory.dmp

Filesize
1.0MB

Download
memory/2992-70-0x0000000002590000-0x00000000027AE000-memory.dmp

Filesize
2.1MB

Download
memory/2992-68-0x0000000002590000-0x00000000027AE000-memory.dmp

Filesize
2.1MB

Download
memory/2992-71-0x0000000002590000-0x00000000027AE000-memory.dmp

Filesize
2.1MB

Download
memory/2992-72-0x0000000002590000-0x00000000027AE000-memory.dmp

Filesize
2.1MB

Download