My title Page contents

BumbleBee: Round Two – Malware News

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.

In this intrusion, we see the threat actor use BumbleBee to deploy Cobalt Strike and Meterpreter. The threat actor then used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.

Case Summary

The intrusion began with the delivery of an ISO file containing a LNK file and a BumbleBee payload in the form of a hidden DLL file. A user on a workstation mounted the ISO file and executed the LNK file, running the Bumblebee payload.

Around 15 minutes after the execution of BumbleBee, multiple processes were spawned with the goal of injecting Meterpreter into each of them. After the threat actors gained access with Meterpreter, they began conducting reconnaissance on the workstation and network, including querying domain controllers, mapping domain joined computers, enumerating Active Directory trusts, and listing Domain Admin accounts. All of this first wave of discovery relied on built in Windows utilities like nltest, arp, net, ping, nbtstat, and nslookup.

BumbleBee executed under a user with local administrator privileges on all workstations in the environment. At around six hours after initial execution, we observed a new process created that was then used to host a Cobalt Strike beacon, from the same command and control server observed in a prior BumbleBee case. This beacon reprised discovery activity, but also cut a common command short net user /dom instead of /domain, whether from keyboard laziness or a trick to trip-up detections. The threat actor then used their access to execute procdump via a remote service creation with the intention of dumping credentials from LSASS from an adjacent workstation on the network.

Next, the threat actors moved laterally via RDP to a server. A new local user, sql_admin, was created and added to the local administrator’s group and AnyDesk remote access software was installed. Through the AnyDesk session, the threat actor was observed connecting to a file share and accessing multiple documents related to cyber insurance and spreadsheets with passwords.

A second round of enumeration was observed on the beachhead using AdFind, which was executed via the Cobalt Strike beacon on the system. Following this second round of enumeration, the threat actor moved latterly to a server hosting backups, via RDP and interacted with the backup console. From the backup system, the threat actors also opened internet explorer and attempted to load the environment’s mail server, likely checking for Outlook Web Access.

A third round of enumeration, this time taking place from the first lateral server host, was observed via a script named ‘1.bat’ that would ping all computers in the environment. Following this third round of enumeration the threat actors were evicted from the environment and no further impact was observed.

We assess with medium confidence this intrusion was related to pre-ransomware activity due to the tool set and techniques the actor displayed.


We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.

We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services.


Analysis and reporting completed by @MetallicHack, @iiamaleks & @svch0st

Initial Access

The BumbleBee malware has been following the trend of using the effective combination of utilizing an .iso image containing a .lnk and .dll file. We have observed the same behavior with other major malware distributors in previous reports:

Using the event log, “Microsoft-Windows-VHDMP-Operational.evtx”, we can quickly find when the user mounted the .iso.

Upon clicking the LNK file the BumbleBee payload was executed.

"C:\Windows\System32\rundll32.exe" rundll32.exe tamirlan.dll,EdHVntqdWt

Thanks to @pr0xylife for the iso file!


Following the user mounting the .iso file, they clicked on a .lnk file documents.lnk. As noted in previous reports, the .dll is hidden from the user unless they display hidden items in explorer like so:

The .lnk contains instructions to execute a specific exported function with the BumbleBee DLL file.

When the .lnk was doubled clicked by the user, the BumbleBee malware tamirlan.dll was executed:

C:\Windows\System32\rundll32.exe tamirlan.dll,EdHVntqdWt

The output of LECmd.exe, when used ondocuments.lnk, provided additional context to where and when this .lnk file was created:

>> Tracker database block
   Machine ID: user-pc
   MAC Address: 9a:5b:d6:3e:47:ec
   MAC Vendor: (Unknown vendor)
   Creation: <REDACTED DATE>

Approximately 5 seconds after execution, the rundll32.exe process contacted the IP More information on this traffic is covered in the Command and Control section below.

An interesting tactic of note, was the use of WMI and COM function calls to start the process, used to inject into. The BumbleBee loader uses WMI to start new process by calling COM functions to create a new process. Below you can see the COM instance creation followed by defining the WMI namespace and WMI object being created – “Win32_Process”.

Analysis of the loader found that a function of the malware chooses 1 of 3 target processes before injecting the supplied code:

C:\Program Files\Windows Mail\wabmig.exe
C:\Program Files\Windows Mail\wab.exe
C:\Program Files\Windows Photo Viewer\ImagingDevices.exe

This resulted in new processes not being a child of BumbleBee, but rather WmiPrvSE.exe.

In this intrusion, an instance of C:\Program Files\Windows Photo Viewer\ImagingDevices.exe was created and accessed by the BumbleBee rundll32.exe process. Shortly after this interaction, the process started communicating to a Meterpreter C2 This process spawned cmd.exe and several typical discovery commands that are covered in more detail below.

The second process, was spawned the WMI technique was an instance of C:\Program Files\Windows Mail\wabmig.exe. This process was used to host both a session to another Meterpreter C2 and a Cobalt Strike C2 server, which was then used to conduct the majority of additional activity including credential dumping and discovery exercises highlighted below. The pivot to using Cobalt Strike began around 6 hours after the execution of the BumbleBee loader.


A new local administrator user was created on a server to facilitate persistence on the machine. The user account was observed to be accessed via an AnyDesk session on the same machine.

  ➝ net  user sql_admin P@ssw0rd! /add
  ➝ net  localgroup Administrators sql_admin /ADD

In addition, AnyDesk was installed as a service:


Defense Evasion

The BumbleBee loader itself uses several defense evasion and anti-analysis techniques. As detailed in the Execution section, the use of WMI to spawn new processes is a known technique to evade any parent/child process heuristics or detections.


Once the malware is unpacked, it becomes quite apparent to what the malware author(s) were looking for–

  • Known malware analysis process names running:

  • Known sandbox usernames (Sorry if your name is Peter Wilson, no malware for you ):

  • Specific Virtualization Software files on disk and registry keys (Virtual Box, Qemu, Parallels), example:

Process Injection

Create Remote Thread – The malware used the win32 function CreateRemoteThread in order to execute code in rundll32.exe.

Named Pipes – Two named pipes were created in order to establish inter-process communications (IPC) between rundll32.exe and wabmig.exe.


Credential Access


A remote service was created on one of the workstations in order to dump lsass.

Event 7045 from Service Control Manager

C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp


The first discovery stage includes TTPs that we have seen in multiple cases, such as trusts discovery, domain admin group discovery, network discovery and process enumeration.

C:\Program Files\Windows Mail\wabmig.exe   
  ➝ C:\Windows\system32\cmd.exe /C ipconfig /all
  ➝ C:\Windows\system32\cmd.exe /C ping -n 1 <REDACTED_DOMAIN_NAME>
  ➝ C:\Windows\system32\cmd.exe /C nltest /dclist:
  ➝ C:\Windows\system32\cmd.exe /C nltest /domain_trusts
  ➝ C:\Windows\system32\cmd.exe /C net group "domain admins" /domain
  ➝ C:\Windows\system32\cmd.exe /C tasklist /v /s <REDACTED_IP>


AdFind.exe was renamed to af.exe and was used by threat actors in order to enumerate AD users, computers, OU, trusts, subnets and groups.

C:\Program Files\Windows Mail\wabmig.exe  
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "(objectcategory=person)" > ad_users.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "objectcategory=computer" > ad_computers.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -sc trustdmp > trustdmp.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -subnets -f (objectCategory=subnet) > subnets.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "(objectcategory=group)" > ad_group.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -gcb -sc trustdmp > trustdmp.txt


Lateral Movement

The threat actor was observed moving via RDP throughout the network with a Domain Admin account.

As mentioned in Credential Access, the threat actor used remote services to execute commands on remote hosts.

SMB was used to transfer the various tools laterally, as needed in the environment, like procdump.exe and AnyDesk executables.


The threat actor accessed multiple documents and folders from a remote file server. The SMB share was accessed through a compromised server via an AnyDesk session.

The lsass dump file ran remotely, was copied to the beachhead through the admin share C$.

After being copied, the file was zipped using 7za.exe (7-zip), in preparation for exfiltration.

C:\Program Files\Windows Mail\wabmig.exe 
  ➝ C:\Windows\system32\cmd.exe /C copy \\<REMOTE_WORKSTATION>\C$\ProgramData\lsass.dmp c:\programdata\lsass.dmp
  ➝ C:\Windows\system32\cmd.exe /C 7za.exe a -tzip -mx5 c:\programdata\ c:\programdata\lsass.dmp

Command and Control


JA3: c12f54a3f91dc7bafd92cb59fe009a35
JA3s: 76c691f46143bf86e2d1bb73c6187767

Certificate: [ac:18:a0:22:b2:ef:65:c8:85:5e:1f:eb:f5:35:23:28:89:3a:5d:f9]
Not Before: 2022/05/19 07:40:24 UTC 
Not After: 2023/05/19 07:40:24 UTC 
Issuer Org: Internet Widgits Pty Ltd 
Subject Org: Internet Widgits Pty Ltd 
Public Algorithm: rsaEncryption

Certificate: [0f:a6:76:b0:de:4c:f6:5e:a8:35:60:94:60:69:2c:2c:9c:cb:11:5c]
Not Before: 2022/05/19 07:48:30 UTC 
Not After: 2023/05/19 07:48:30 UTC 
Issuer Org: Internet Widgits Pty Ltd 
Subject Org: Internet Widgits Pty Ltd 
Public Algorithm: rsaEncryptiion


JA3: ce5f3254611a8c095a3d821d44539877
JA3s: ec74a5c51106f0419184d0dd08fb05bc

Certificate: [e5:a3:1d:28:ee:34:4f:9d:99:b8:a9:6e:b4:a9:d0:1f:63:43:3c:ac ]
Not Before: 2021/05/03 23:37:39 UTC 
Not After: 2027/05/02 23:37:39 UTC 
Issuer Org: Stracke, Lakin and Windler 
Subject Common: 
Subject Org: Stracke, Lakin and Windler 
Public Algorithm: rsaEncryption

Certificate: [84:38:01:51:ba:46:74:89:b3:2a:67:57:b7:a1:4a:5b:49:4a:b9:03 ]
Not Before: 2020/03/19 06:49:58 UTC 
Not After: 2026/03/18 06:49:58 UTC 
Issuer Org: Reilly-Carroll 
Subject Common: 
Subject Org: Reilly-Carroll 
Public Algorithm: rsaEncryption

JA3: ce5f3254611a8c095a3d821d44539877
JA3s: ec74a5c51106f0419184d0dd08fb05bc

Certificate: [6c:0e:6d:6e:d8:06:92:c6:9a:13:2a:ee:d7:8c:9d:15:63:5e:e9:f2]
Not Before: 2020/09/03 16:14:07 UTC 
Not After: 2024/09/02 16:14:07 UTC 
Issuer Org: Jerde-Kreiger 
Subject Common: 
Subject Org: Jerde-Kreiger 
Public Algorithm: rsaEncryption

Cobalt Strike

This C2 server was observed in a previous BumbleBee case.

JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767

Certificate: [6c:54:cc:ce:ca:da:8b:d3:12:98:13:d5:85:52:81:8a:9d:74:4f:fb]
Not Before: 2022/04/15 00:00:00 UTC 
Not After: 2023/04/15 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: [ ,]
Public Algorithm: rsaEncryption


  "beacontype": [
  "sleeptime": 5000,
  "jitter": 24,
  "maxgetsize": 1398708,
  "license_id": 1580103814,
  "cfg_caution": false,
  "kill_date": null,
    "hostname": "",
    "port": 443,
    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5eYxmuxksHBu5Hqtk11PJye1th52fYvmUXmFrL1vEIQs9+B5NI7a6bHbSHSRN1hRJN2VQ9iwpF/11IFitmWKEbFIErjX1YCy1/1Eg+EawN4l2ReZ9lz1A9wIDUtQb8fAFYRCSn72Gzb+Pax1VKLt4Kx3QJrpduOhx4q4rdvahPQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="                                                                                                      
  "host_header": "",
  "useragent_header": null,
    "uri": "/rs.js",
    "verb": "GET",
      "headers": null,
      "metadata": null
      "output": [
        "prepend 600 characters",
    "uri": "/en",
    "verb": "POST",
      "headers": null,
      "id": null,
      "output": null
  "crypto_scheme": 0,
    "type": null,
    "username": null,
    "password": null,
    "behavior": "Use IE settings"
  "http_post_chunk": 0,
  "uses_cookies": true,
    "spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
    "spawnto_x64": "%windir%\\sysnative\\rundll32.exe"
    "allocator": "VirtualAllocEx",
    "execute": [
    "min_alloc": 11977,
    "startrwx": false,
    "stub": "tUr+Aexqde3zXhpE+L05KQ==",
    "transform-x86": [
      "prepend '\\x90\\x90\\x90\\x90\\x90\\x90'"
    "transform-x64": [
      "prepend '\\x90\\x90\\x90\\x90\\x90\\x90'"
    "userwx": false
    "dns_idle": null,
    "dns_sleep": null,
    "maxdns": null,
    "beacon": null,
    "get_A": null,
    "get_AAAA": null,
    "get_TXT": null,
    "put_metadata": null,
    "put_output": null
  "pipename": null,
    "cleanup": true
    "hostname": null,
    "port": null,
    "username": null,
    "password": null,
    "privatekey": null


AnyDesk was installed to facilitate interactive desktop command and control access to a server in the environment.


No exfiltration methods were observed beyond the established command and control channels, which can be assessed as likely used to take data like the lsass dump out of the network.


The threat actors were evicted from the network before any further impact.




Cobalt Strike







The threat actor delivers the BumbleBee loader in the form of a DLL (tamirlan.dll) via an ISO file named document.iso and tricks a user into executing it via an LNK (document.lnk).

The threat actor dumps lsass using procdump and copies it over an admin share before using 7zip to zip it.
BumbleBee is used to load both Meterpreter and Cobalt Strike into memory and communicate with the C2 server.



ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET POLICY SMB Executable File Transfer


title: BumbleBee WmiPrvSE execution pattern
id: 1620db43-fde5-45f3-b4d9-45ca6e79e047
status: Experimental
description: Detects BumbleBee WmiPrvSE parent process manipulation 
author:  TheDFIRReport
date: 2022/09/26
  category: process_creation
  product: windows
      - 'ImagingDevices.exe'
      - 'wabmig.exe'
      - 'WmiPrvSE.exe'
  condition: selection_image and selection_parent
  - Unknown
level: high
  - attack.defense_evasion
  - attack.t1036



   YARA Rule Set
   Author: The DFIR Report
   Date: 2022-09-26
   Identifier: Case 14373 BumbleBee

/* Rule Set ----------------------------------------------------------------- */

rule case_14373_bumblebee_document_iso 
      description = "Files - file document.iso"
      author = "The DFIR Report"
      reference = ""
      date = "2022-09-26"
      hash1 = "11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355"
      $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide
      $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
      $s3 = "xotgug064ka8.dll" fullword ascii
      $s4 = "tamirlan.dll" fullword wide
      $s5 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
      $s6 = "        <requestedExecutionLevel level="asInvoker" uiAccess="false" />" fullword ascii
      $s7 = "claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote damage far use fairly allocation lever ne" ascii
      $s8 = "documents.lnk" fullword wide
      $s9 = "4System32" fullword wide
      $s12 = " Type Descriptor'" fullword ascii
      $s13 = "YP^WTS]V[WPTWR_\\P[]WX_SPYQ[SQ]]UWTU]QR\\UQR]]\\\\^]UZUX\\X^U]P_^S[ZY^R^]UXWZURR\\]X[^TX\\S\\SWV_[YXP_[^^\\WW\\]]]PU_YZ\\]SVPQX[" ascii
      $s14 = "494[/D59:" fullword ascii /* hex encoded string 'IMY' */
      $s16 = "?+7,*6@24" fullword ascii /* hex encoded string 'v$' */
      $s17 = "[email protected]=" fullword ascii /* hex encoded string 'ghc' */
      $s18 = "*;+273++C" fullword ascii /* hex encoded string ''<' */
      $s19 = "*:>?2-:E?@>5D+" fullword ascii /* hex encoded string '.]' */
      uint16(0) == 0x0000 and filesize < 8000KB and
      1 of ($x*) and 4 of them

rule case_14373_bumblebee_tamirlan_dll 
      description = "Files - file tamirlan.dll"
      author = "The DFIR Report"
      reference = ""
      date = "2022-09-26"
      hash1 = "123f96ff0a583d507439f79033ba4f5aa28cf43c5f2c093ac2445aaebdcfd31b"
      $s1 = "xotgug064ka8.dll" fullword ascii
      $s2 = "        <requestedExecutionLevel level="asInvoker" uiAccess="false" />" fullword ascii
      $s3 = "claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote damage far use fairly allocation lever ne" ascii
      $s6 = " Type Descriptor'" fullword ascii
      $s7 = "YP^WTS]V[WPTWR_\\P[]WX_SPYQ[SQ]]UWTU]QR\\UQR]]\\\\^]UZUX\\X^U]P_^S[ZY^R^]UXWZURR\\]X[^TX\\S\\SWV_[YXP_[^^\\WW\\]]]PU_YZ\\]SVPQX[" ascii
      $s8 = "494[/D59:" fullword ascii /* hex encoded string 'IMY' */
      $s10 = "?+7,*6@24" fullword ascii /* hex encoded string 'v$' */
      $s11 = "[email protected]=" fullword ascii /* hex encoded string 'ghc' */
      $s12 = "*;+273++C" fullword ascii /* hex encoded string ''<' */
      $s13 = "*:>?2-:E?@>5D+" fullword ascii /* hex encoded string '.]' */
      $s19 = "PQP]^__\\ZZUSZYT_^S_SPPV]\\XPT_TPQU\\VWZQYZPZ^]]SW]R^[WYP]^[[R_RTSPYW^WU^QVPZ" fullword ascii
      $s20 = "Y]_QU\\ZQQSXRX[SPYVRWXU^P[VSSWUR]]PSWV\\X]Y[PX_UZ_PPP[WQVXY^^]^RRSPZ]^XWV^]" fullword ascii
      uint16(0) == 0x5a4d and filesize < 3000KB and
      8 of them

rule case_14373_bumblebee_documents_lnk 
      description = "Files - file documents.lnk"
      author = "The DFIR Report"
      reference = ""
      date = "2022-09-26"
      hash1 = "cadd3f05b496ef137566c90c8fee3905ff13e8bda086b2f0d3cf7512092b541c"
      $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide
      $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
      $s3 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
      $s4 = "4System32" fullword wide
      $s5 = "user-pc" fullword ascii
      $s6 = "Windows" fullword wide
      uint16(0) == 0x004c and filesize < 4KB and
      1 of ($x*) and all of them


Mark-of-the-Web Bypass - T1553.005
User Execution - T1204
Rundll32 - T1218.011
Masquerading - T1036
Local Account - T1136.001
LSASS Memory - T1003.001
Archive via Utility - T1560.001
Archive Collected Data - T1560
Service Execution - T1569.002
Process Discovery - T1057
System Network Configuration Discovery - T1016
Domain Trust Discovery - T1482
Domain Groups - T1069.002
SMB/Windows Admin Shares - T1021.002
Lateral Tool Transfer - T1570
Remote Desktop Protocol - T1021.001
Web Protocols - T1071.001
Remote Access Software - T1219
Process Injection - T1055

Internal case #14373

Article Link: BumbleBee: Round Two – The DFIR Report

Spyware and Viruses

Process of Detecting Virus Infection

Virus Infection In today’s world, viruses have become a constant threat to public health. Viruses can spread quickly and have the potential to cause significant harm to individuals and entire populations. Identifying a viral infection is crucial to determine the best course of treatment and prevent the spread of the virus. In this article, we […]

Read More
Computers and Functions
Spyware and Viruses

Types Computers and Functions

Computers and Functions we do many things with computers, from working, entertaining ourselves, searching for information, and so on. When talking about a computer, many people imagine a device with a monitor, keyboard and mouse that are usually placed on the table. Though, the term computer can be applied to almost any device that has […]

Read More
Spyware and Viruses

NSIS Type of LockBit 3.0 Ransomware Disguised as Job

In February and June, the ASEC Analysis team posted in the blog about LockBit 2.0 ransomware being distributed via email. In this blog, we will introduce the new version of the LockBit 3.0 ransomware that is still being distributed through similar method. While in June there were multiple cases of the ransomware being distributed disguised as […]

Read More
Open chat
Iam Guest Posting Service
I Have 600 Site
Status : Indexed All
Good DA : 40-60
Different Nice I Category
Drip Feed Allowed
I can instant publish

My Service :
1. I will do your orders maximum of 1X24 hours, if at the time i’am online. I will do a maximum of 1 hour and the process is complete.
2. If any of you orders are not completed a maximum of 1x24 hours, you do not have to pay me, or free.
3. For the weekend, I usually online, that weekend when i’am not online, it means i’am working Monday.
4. For the payment, maximum payed one day after published live link.
5. Payment via paypal account
If you interesting, please reply
Thank You