Overview

overview

10

Static

static

1

f82d15eed3...3c.msi

windows7-x64

10

f82d15eed3...3c.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    05-02-2025 04:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c.msi

  • Size

    85.7MB

  • MD5

    bf866d9b4395b3c819a4cd3fd639c412

  • SHA1

    79b7f01af68b13036a493e25c83d80457a654c4c

  • SHA256

    f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c

  • SHA512

    8c80f7d86d8b4df1c73b2da3cecd09f02a28b57edcf3e2597e874e549ff7cf183acb644a731ed95fb29aeea3334fc72d9144f536ad7e4868b6eec63a4bd83e13

  • SSDEEP

    1572864:BWVw9CW/3bB1B68jRGRdJFqisNA6IwEU7dwq3LnEpF2UOrZ+c4CGFyzodK2aZq9:BW5SrB6uRG6iQIu5LEzVON+vCjVY

Score
10/10
bumblebee2discoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

2

Attributes
  • dga

    45urhm0ldgxb.live

    gx6xly9rp6vl.live

    zv46ga4ntybq.live

    7n1hfolmrnbl.live

    vivh2xlt9i6q.live

    97t3nh4kk510.live

    kbkdtwucfl40.live

    qk6a1ahb63uz.live

    whko7loy7h5z.live

    dad1zg44n0bn.live

    7xwz4hw8dts9.live

    ovekd5n3gklq.live

    amwnef8mjo4v.live

    e7ivqfhnss0x.live

    rjql4nicl6bg.live

    4mo318kk29i4.live

    zpo18lm8vg1x.live

    jc51pt290y0n.live

    rg26t2dc4hf4.live

    qw9a58vunuja.live

    ugm94zjzl5nl.live

    mckag832orba.live

    pdw0v9voxlxr.live

    m4tx2apfmoxo.live

    n2uc737ef71m.live

    hkk3112645hz.live

    ugko9g5ipa4o.live

    8wgq2x4dybx9.live

    h81fx7sj8srr.live

    a4tgoqi1cm8x.live

  • dga_seed

    7834006444057268685

  • domain_length

    12

  • num_dga_domains

    300

  • port

    443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Blocklisted process makes network request 42 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 14 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f82d15eed385a7a913b98a28bce9b27a7e3611e1c0c4d9fa65741d3fdd76d23c.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2792
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 24DB5C81B615D0AD00A42217A5D9562F C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Users\Admin\AppData\Roaming\Microsoft\OneDrive\prerequisites\Microsoft OneDrive\OneDriveSetup.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\OneDrive\prerequisites\Microsoft OneDrive\OneDriveSetup.exe"
        3⤵
        • Executes dropped EXE
        PID:2928
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DC3BF92E46150E2776636EB2699FA359
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:840
    • C:\Windows\system32\MsiExec.exe
      "C:\Windows\system32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\HFvlKgDlGU.dll"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      PID:2292
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
      PID:708
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000005E0"
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1840

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\MSIFA46.tmp
      Filesize

      816KB

      MD5

      aa88d8f40a286b6d40de0f3abc836cfa

      SHA1

      c24eab9e4b10b159b589f4c3b64ef3db111ea1c8

      SHA256

      8d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1

      SHA512

      6c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIFC7B.tmp
      Filesize

      877KB

      MD5

      6a639b68fe7f4e67b7510af13403772b

      SHA1

      255ba543d6fdd8f037823ff321ec00abe3575c54

      SHA256

      7118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0

      SHA512

      43cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef

      Download Submit

    • C:\Users\Admin\AppData\Roaming\HFvlKgDlGU.dll
      Filesize

      5.6MB

      MD5

      57349a38f042cdc28b34c9d3ba204587

      SHA1

      26617430dd8d931ce6892379791dd639afaaf05a

      SHA256

      5b5abcbf5b08cc102d3aec8291bb1d1d1faa51ec6d09e9ba122e3e0d349a7f1c

      SHA512

      4bf48e23a6a2401a377a6de2aa2df111cfbfb41ccfd3c6037d10a9f7587fca2f62c8a04a73d17211c690cfd850c5b66a1f6ee8d159c968e45ad54de5af2a0e1f

      Download Submit

    • memory/2292-68-0x00000000024E0000-0x00000000026F9000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2292-69-0x00000000024E0000-0x00000000026F9000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2292-66-0x00000000024E0000-0x00000000026F9000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2292-70-0x00000000024E0000-0x00000000026F9000-memory.dmp

      Filesize

      2.1MB

      Download