BumbleBee Roasts Its Way to Domain Admin
Tags
Common Information
| Type | Value |
|---|---|
| UUID | 440eb2a2-d3c0-445a-a947-bbf39950fbd7 |
| Fingerprint | c62224fda3a0b473 |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Aug. 8, 2022, 1:36 a.m. |
| Added to db | Sept. 11, 2022, 12:32 p.m. |
| Last updated | Nov. 17, 2024, 10:40 p.m. |
| Headline | BumbleBee Roasts Its Way to Domain Admin |
| Title | BumbleBee Roasts Its Way to Domain Admin |
| Detected Hints/Tags/Attributes | 180/3/143 |
Source URLs
URL Provider
RSS Feed
| Details | Id | Enabled | Feed title | Url | Added to db |
|---|---|---|---|---|---|
| Details | 249 | ✔ | The DFIR Report | https://thedfirreport.com/feed/ | 2024-08-30 22:08 |
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 20 | 1768.py |
|
| Details | Domain | 1 | dofixifa.co |
|
| Details | Domain | 4 | fuvataren.com |
|
| Details | Domain | 2 | www.fuvataren.com |
|
| Details | Domain | 1 | dofixifa.com |
|
| Details | Domain | 1 | www.dofixifa.com |
|
| Details | Domain | 2 | gmw.cn |
|
| Details | Domain | 7 | anydesk.com |
|
| Details | Domain | 74 | thedfirreport.com |
|
| Details | Domain | 64 | go.microsoft.com |
|
| Details | File | 2 | namr.dll |
|
| Details | File | 12 | wab.exe |
|
| Details | File | 1260 | explorer.exe |
|
| Details | File | 1018 | rundll32.exe |
|
| Details | File | 69 | comsvcs.dll |
|
| Details | File | 1 | bc_invoice_report_corp_46.iso |
|
| Details | File | 409 | c:\windows\system32\cmd.exe |
|
| Details | File | 1208 | powershell.exe |
|
| Details | File | 17 | 1768.py |
|
| Details | File | 92 | c:\windows\system32\svchost.exe |
|
| Details | File | 1122 | svchost.exe |
|
| Details | File | 99 | c:\windows\explorer.exe |
|
| Details | File | 1 | c:\users\user\appdata\local\wab.exe |
|
| Details | File | 127 | c:\windows\system32\rundll32.exe |
|
| Details | File | 2126 | cmd.exe |
|
| Details | File | 27 | c:\windows\system32\comsvcs.dll |
|
| Details | File | 1 | c:\programdata\redacted\lsass.dmp |
|
| Details | File | 27 | procdump.exe |
|
| Details | File | 26 | procdump64.exe |
|
| Details | File | 2 | c:\programdata\procdump64.exe |
|
| Details | File | 478 | lsass.exe |
|
| Details | File | 4 | c:\programdata\lsass.dmp |
|
| Details | File | 1 | c:\programdata\redacted\ps.txt |
|
| Details | File | 7 | s.bat |
|
| Details | File | 2 | w.bat |
|
| Details | File | 8 | servers.txt |
|
| Details | File | 1 | serv.log |
|
| Details | File | 1 | workers.txt |
|
| Details | File | 5 | work.log |
|
| Details | File | 2 | sharefinder.txt |
|
| Details | File | 6 | seatbelt.exe |
|
| Details | File | 1 | c:\programdata\seatinfo.txt |
|
| Details | File | 1 | vulnrecon.dll |
|
| Details | File | 1 | vulnrecon.exe |
|
| Details | File | 1 | rs.js |
|
| Details | File | 15 | %windir%\syswow64\rundll32.exe |
|
| Details | File | 13 | %windir%\sysnative\rundll32.exe |
|
| Details | File | 21 | %windir%\\syswow64\\rundll32.exe |
|
| Details | File | 21 | %windir%\\sysnative\\rundll32.exe |
|
| Details | File | 1 | bc_invoice_report_corp_46.zip |
|
| Details | File | 4 | af.exe |
|
| Details | File | 3 | commandline.dll |
|
| Details | File | 2 | commands.sys |
|
| Details | File | 2 | hostfxr.dll |
|
| Details | File | 1 | api-ms-win-crt-runtime-l1-1-0.dll |
|
| Details | File | 1 | api-ms-win-crt-convert-l1-1-0.dll |
|
| Details | File | 3 | api-ms-win-crt-math-l1-1-0.dll |
|
| Details | File | 1 | api-ms-win-crt-time-l1-1-0.dll |
|
| Details | File | 3 | api-ms-win-crt-stdio-l1-1-0.dll |
|
| Details | File | 1 | api-ms-win-crt-heap-l1-1-0.dll |
|
| Details | File | 1 | api-ms-win-crt-string-l1-1-0.dll |
|
| Details | File | 1 | api-ms-win-crt-locale-l1-1-0.dll |
|
| Details | File | 1 | pfxvex450gd81.exe |
|
| Details | md5 | 2 | c424870876f1f2ef0dd36e7e569de906 |
|
| Details | md5 | 3 | 61be9ce3d068c08ff99a857f62352f9d |
|
| Details | md5 | 26 | a0e9f5d64349fb13191bc781f81f42e1 |
|
| Details | md5 | 14 | ae4edc6faf64d08308082ad26be60767 |
|
| Details | md5 | 1 | 5226b7138f4dd1dbb9f6953bd75a320b |
|
| Details | md5 | 1 | 3466ffaf086a29b8132e9e10d7111492 |
|
| Details | md5 | 1 | f856d7e7d485a2fc5b38faddd8c6ee5c |
|
| Details | md5 | 1 | c68437cc9ed6645726119c12fdcb33e7 |
|
| Details | md5 | 3 | 9b02dd2a1a15e94922be3f85129083ac |
|
| Details | md5 | 1 | 5839b4013cf6e25568f13d3fc4120795 |
|
| Details | md5 | 1 | 951d017ba31ecc6990c053225ee8f1e6 |
|
| Details | md5 | 1 | 3654f4e4c0858a9388c383b1225b8384 |
|
| Details | md5 | 1 | bba3ff461eee305c7408e31e427f57e6 |
|
| Details | md5 | 1 | 4b78228c08538208686b0f55353fa3bf |
|
| Details | sha1 | 1 | 6c87ca630c294773ab760d88587667f26e0213a3 |
|
| Details | sha1 | 1 | 58739dc62eeac7374db9a8c07df7c7c36b550ce5 |
|
| Details | sha1 | 1 | c68e4d5eaae99d6f0a51eec48ace79a4fede3c09 |
|
| Details | sha1 | 1 | 7a3db4b3359b60786fcbdaf0115191502fcded07 |
|
| Details | sha1 | 3 | 2cb6ff75b38a3f24f3b60a2742b6f4d6027f0f2a |
|
| Details | sha1 | 1 | d9832b46dd6f249191e9cbcfba2222c1702c499a |
|
| Details | sha1 | 1 | a204f20b1c96c5b882949b93eb4ac20d4f9e4fdf |
|
| Details | sha1 | 1 | 974ffbfae36e9a41ac672f9793ce1bee18f2e670 |
|
| Details | sha1 | 1 | 3300c0c05b33691ecc04133885b7fc9513174746 |
|
| Details | sha1 | 1 | 67707f863aa405a9b9a335704808c604845394bf |
|
| Details | sha256 | 1 | c1b8e9d77a6aea4fc7bed4a2a48515aa32a3922859c9091cecf1b5f381a87127 |
|
| Details | sha256 | 1 | 90f489452b4fe3f15d509732b8df8cc86d4486ece9aa10cbd8ad942f7880075e |
|
| Details | sha256 | 2 | 2d67a6e6e7f95d3649d4740419f596981a149b500503cbc3fcbeb11684e55218 |
|
| Details | sha256 | 1 | 1cf28902be615c721596a249ca85f479984ad85dc4b19a7ba96147e307e06381 |
|
| Details | sha256 | 8 | b1102ed4bca6dae6f2f498ade2f73f76af527fa803f0e0b46e100d4cf5150682 |
|
| Details | sha256 | 1 | eb4cba90938df28f6d8524be639ed7bd572217f550ef753b2f2d39271faddaef |
|
| Details | sha256 | 1 | a9e90587c54e68761be468181e56a5ba88bac10968ff7d8c0a1c01537158fbe8 |
|
| Details | sha256 | 1 | fa2b74bfc9359efba61ed7625d20f9afc11a7933ebc9653e8e9b1e44be39c455 |
|
| Details | sha256 | 1 | 59198ffaf74b0e931a1cafe78e20ebf0b16f3a5a03bb4121230a0c44d7b963d2 |
|
| Details | sha256 | 1 | 5eb0b0829b9fe344bff08de80f55a21a26a53df7bd230d777114d3e7b64abd24 |
|
| Details | IPv4 | 1 | 104.243.33.50 |
|
| Details | IPv4 | 1 | 108.62.12.174 |
|
| Details | IPv4 | 1441 | 127.0.0.1 |
|
| Details | IPv4 | 2 | 142.91.3.109 |
|
| Details | IPv4 | 2 | 45.140.146.30 |
|
| Details | IPv4 | 2 | 45.153.243.142 |
|
| Details | IPv4 | 1 | 108.177.235.25 |
|
| Details | MITRE ATT&CK Techniques | 409 | T1566 |
|
| Details | MITRE ATT&CK Techniques | 365 | T1204.002 |
|
| Details | MITRE ATT&CK Techniques | 333 | T1059.003 |
|
| Details | MITRE ATT&CK Techniques | 460 | T1059.001 |
|
| Details | MITRE ATT&CK Techniques | 440 | T1055 |
|
| Details | MITRE ATT&CK Techniques | 297 | T1070.004 |
|
| Details | MITRE ATT&CK Techniques | 173 | T1003.001 |
|
| Details | MITRE ATT&CK Techniques | 36 | T1558.003 |
|
| Details | MITRE ATT&CK Techniques | 99 | T1087.002 |
|
| Details | MITRE ATT&CK Techniques | 124 | T1482 |
|
| Details | MITRE ATT&CK Techniques | 118 | T1570 |
|
| Details | MITRE ATT&CK Techniques | 160 | T1021.001 |
|
| Details | MITRE ATT&CK Techniques | 306 | T1078 |
|
| Details | MITRE ATT&CK Techniques | 141 | T1219 |
|
| Details | MITRE ATT&CK Techniques | 492 | T1105 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 78 | T1569 |
|
| Details | MITRE ATT&CK Techniques | 139 | T1021.002 |
|
| Details | MITRE ATT&CK Techniques | 185 | T1518 |
|
| Details | MITRE ATT&CK Techniques | 245 | T1016 |
|
| Details | MITRE ATT&CK Techniques | 243 | T1018 |
|
| Details | MITRE ATT&CK Techniques | 433 | T1057 |
|
| Details | MITRE ATT&CK Techniques | 25 | T1553.005 |
|
| Details | MITRE ATT&CK Techniques | 348 | T1036 |
|
| Details | MITRE ATT&CK Techniques | 119 | T1218.011 |
|
| Details | MITRE ATT&CK Techniques | 74 | T1069.002 |
|
| Details | MITRE ATT&CK Techniques | 310 | T1047 |
|
| Details | MITRE ATT&CK Techniques | 44 | T1110.001 |
|
| Details | Deprecated Microsoft Threat Actor Naming Taxonomy (Groups in development) | 16 | DEV-0193 |
|
| Details | Pdb | 2 | apphost.pdb |
|
| Details | Pdb | 1 | vulnrecon.pdb |
|
| Details | Threat Actor Identifier - FIN | 42 | FIN12 |
|
| Details | Url | 1 | http://104.243.33.50:80/a |
|
| Details | Url | 1 | http://127.0.0.1:36177 |
|
| Details | Url | 1 | http://127.0.0.1:39303 |
|
| Details | Url | 15 | https://thedfirreport.com |
|
| Details | Url | 2 | https://go.microsoft.com/fwlink/?linkid=798306 |
|
| Details | Yara rule | 1 | rule bumblebee_13387_VulnRecon_dll {
meta:
description = "BumbleBee - file VulnRecon.dll"
author = "TheDFIRReport"
reference = "https://thedfirreport.com"
date = "2022-08-08"
hash1 = "a9e90587c54e68761be468181e56a5ba88bac10968ff7d8c0a1c01537158fbe8"
strings:
$x1 = "Use VulnRecon.exe -i, --SystemInfo to execute this command" wide fullword
$x2 = "Use VulnRecon.exe -v, --Vulnerability to execute this command" wide fullword
$x3 = "Use VulnRecon.exe -h, --HotFixes to execute this command" wide fullword
$x4 = "Use VulnRecon.exe -m, --MicrosoftUpdates to execute this command" wide fullword
$x5 = "Use VulnRecon.exe -s, --SupportedCve to execute this command" wide fullword
$s6 = "VulnRecon.dll" wide fullword
$s7 = "VulnRecon.Commands.SystemCommands" ascii fullword
$s8 = "VulnRecon.Commands.CveCommands" ascii fullword
$s9 = "VulnRecon.Commands" ascii fullword
$s10 = "VulnRecon.CommandLine" ascii fullword
$s11 = "D:\\work\\rt\\VulnRecon\\VulnRecon\\obj\\Release\\net5.0\\VulnRecon.pdb" ascii fullword
$s12 = "VulnRecon.Commands.ToolsCommand" ascii fullword
$s13 = "Using VulnRecon.exe -o or VulnRecon.exe --OptionName" wide fullword
$s14 = "commandVersion" ascii fullword
$s15 = "GetSystemInfoCommand" ascii fullword
$s16 = "CreateGetSupportedCveCommand" ascii fullword
$s17 = "CreateWindowsVersionCommand" ascii fullword
$s18 = " <requestedExecutionLevel level=\"asInvoker\" uiAccess=\"false\"/>" ascii fullword
$s19 = "get_CommandVersion" ascii fullword
$s20 = "<CommandVersion>k__BackingField" ascii fullword
condition:
uint16(0) == 0x5a4d and filesize < 50KB and 1 of ($x*) and 4 of them
} |
|
| Details | Yara rule | 1 | rule bumblebee_13387_VulnRecon_exe {
meta:
description = "BumbleBee - file VulnRecon.exe"
author = "TheDFIRReport"
reference = "https://thedfirreport.com"
date = "2022-08-08"
hash1 = "eb4cba90938df28f6d8524be639ed7bd572217f550ef753b2f2d39271faddaef"
strings:
$s1 = "hostfxr.dll" wide fullword
$s2 = "--- Invoked %s [version: %s, commit hash: %s] main = {" wide fullword
$s3 = "This executable is not bound to a managed DLL to execute. The binding value is: '%s'" wide fullword
$s4 = "D:\\a\\_work\\1\\s\\artifacts\\obj\\win-x64.Release\\corehost\\cli\\apphost\\standalone\\Release\\apphost.pdb" ascii fullword
$s5 = "VulnRecon.dll" wide fullword
$s6 = "api-ms-win-crt-runtime-l1-1-0.dll" ascii fullword
$s7 = " - %s&apphost_version=%s" wide fullword
$s8 = "api-ms-win-crt-convert-l1-1-0.dll" ascii fullword
$s9 = "api-ms-win-crt-math-l1-1-0.dll" ascii fullword
$s10 = "api-ms-win-crt-time-l1-1-0.dll" ascii fullword
$s11 = "api-ms-win-crt-stdio-l1-1-0.dll" ascii fullword
$s12 = "api-ms-win-crt-heap-l1-1-0.dll" ascii fullword
$s13 = "api-ms-win-crt-string-l1-1-0.dll" ascii fullword
$s14 = "The managed DLL bound to this executable is: '%s'" wide fullword
$s15 = "A fatal error was encountered. This executable was not bound to load a managed DLL." wide fullword
$s16 = "api-ms-win-crt-locale-l1-1-0.dll" ascii fullword
$s17 = "Showing error dialog for application: '%s' - error code: 0x%x - url: '%s'" wide fullword
$s18 = "Failed to resolve full path of the current executable [%s]" wide fullword
$s19 = "https://go.microsoft.com/fwlink/?linkid=798306" wide fullword
$s20 = "The managed DLL bound to this executable could not be retrieved from the executable image." wide fullword
condition:
uint16(0) == 0x5a4d and filesize < 400KB and all of them
} |