BumbleBee: Round Two

In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector. BumbleBee has been identified as an initial access vector utilized by several ransomware affiliates.

In this intrusion, we see the threat actor use BumbleBee to deploy Cobalt Strike and Meterpreter. The threat actor then used RDP and SMB to move around the network looking at backup systems and file shares before being evicted from the network.

Case Summary

The intrusion began with the delivery of an ISO file containing a LNK file and a BumbleBee payload in the form of a hidden DLL file. A user on a workstation mounted the ISO file and executed the LNK file, running the Bumblebee payload.

Around 15 minutes after the execution of BumbleBee, multiple processes were spawned with the goal of injecting Meterpreter into each of them. After the threat actors gained access with Meterpreter, they began conducting reconnaissance on the workstation and network, including querying domain controllers, mapping domain joined computers, enumerating Active Directory trusts, and listing Domain Admin accounts. All of this first wave of discovery relied on built in Windows utilities like nltest, arp, net, ping, nbtstat, and nslookup.

BumbleBee executed under a user with local administrator privileges on all workstations in the environment. At around six hours after initial execution, we observed a new process created that was then used to host a Cobalt Strike beacon, from the same command and control server observed in a prior BumbleBee case. This beacon reprised discovery activity, but also cut a common command short net user /dom instead of /domain, whether from keyboard laziness or a trick to trip-up detections. The threat actor then used their access to execute procdump via a remote service creation with the intention of dumping credentials from LSASS from an adjacent workstation on the network.

Next, the threat actors moved laterally via RDP to a server. A new local user, sql_admin, was created and added to the local administrator’s group and AnyDesk remote access software was installed. Through the AnyDesk session, the threat actor was observed connecting to a file share and accessing multiple documents related to cyber insurance and spreadsheets with passwords.

A second round of enumeration was observed on the beachhead using AdFind, which was executed via the Cobalt Strike beacon on the system. Following this second round of enumeration, the threat actor moved latterly to a server hosting backups, via RDP and interacted with the backup console. From the backup system, the threat actors also opened internet explorer and attempted to load the environment’s mail server, likely checking for Outlook Web Access.

A third round of enumeration, this time taking place from the first lateral server host, was observed via a script named ‘1.bat’ that would ping all computers in the environment. Following this third round of enumeration the threat actors were evicted from the environment and no further impact was observed.

We assess with medium confidence this intrusion was related to pre-ransomware activity due to the tool set and techniques the actor displayed.


We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.

We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services.



Analysis and reporting completed by @MetallicHack, @iiamaleks & @svch0st

Initial Access

The BumbleBee malware has been following the trend of using the effective combination of utilizing an .iso image containing a .lnk and .dll file. We have observed the same behavior with other major malware distributors in previous reports:

Using the event log, “Microsoft-Windows-VHDMP-Operational.evtx”, we can quickly find when the user mounted the .iso.

Upon clicking the LNK file the BumbleBee payload was executed.

"C:\Windows\System32\rundll32.exe" tamirlan.dll,EdHVntqdWt


Following the user mounting the .iso file, they clicked on a .lnk file documents.lnk. As noted in previous reports, the .dll is hidden from the user unless they display hidden items in explorer like so:

The .lnk contains instructions to execute a specific exported function with the BumbleBee DLL file.

When the .lnk was doubled clicked by the user, the BumbleBee malware tamirlan.dll was executed:

C:\Windows\System32\rundll32.exe tamirlan.dll,EdHVntqdWt

The output of LECmd.exe, when used ondocuments.lnk, provided additional context to where and when this .lnk file was created:

>> Tracker database block
   Machine ID: user-pc
   MAC Address: 9a:5b:d6:3e:47:ec
   MAC Vendor: (Unknown vendor)
   Creation: <REDACTED DATE>

Approximately 5 seconds after execution, the rundll32.exe process contacted the IP More information on this traffic is covered in the Command and Control section below.

An interesting tactic of note, was the use of WMI and COM function calls to start the process, used to inject into. The BumbleBee loader uses WMI to start new process by calling COM functions to create a new process. Below you can see the COM instance creation followed by defining the WMI namespace and WMI object being created – “Win32_Process”.

Analysis of the loader found that a function of the malware chooses 1 of 3 target processes before injecting the supplied code:

C:\Program Files\Windows Mail\wabmig.exe
C:\Program Files\Windows Mail\wab.exe
C:\Program Files\Windows Photo Viewer\ImagingDevices.exe

This resulted in new processes not being a child of BumbleBee, but rather WmiPrvSE.exe.

In this intrusion, an instance of C:\Program Files\Windows Photo Viewer\ImagingDevices.exe was created and accessed by the BumbleBee rundll32.exe process. Shortly after this interaction, the process started communicating to a Meterpreter C2 This process spawned cmd.exe and several typical discovery commands that are covered in more detail below.

The second process, was spawned the WMI technique was an instance of C:\Program Files\Windows Mail\wabmig.exe. This process was used to host both a session to another Meterpreter C2 and a Cobalt Strike C2 server, which was then used to conduct the majority of additional activity including credential dumping and discovery exercises highlighted below. The pivot to using Cobalt Strike began around 6 hours after the execution of the BumbleBee loader.


A new local administrator user was created on a server to facilitate persistence on the machine. The user account was observed to be accessed via an AnyDesk session on the same machine.

  ➝ net  user sql_admin [email protected]! /add
  ➝ net  localgroup Administrators sql_admin /ADD

In addition, AnyDesk was installed as a service:


Defense Evasion

The BumbleBee loader itself uses several defense evasion and anti-analysis techniques. As detailed in the Execution section, the use of WMI to spawn new processes is a known technique to evade any parent/child process heuristics or detections.


Once the malware is unpacked, it becomes quite apparent to what the malware author(s) were looking for–

  • Known malware analysis process names running:
  • Known sandbox usernames (Sorry if your name is Peter Wilson, no malware for you 😟):
  • Specific Virtualization Software files on disk and registry keys (Virtual Box, Qemu, Parallels), example:

Process Injection

Create Remote Thread – The malware used the win32 function CreateRemoteThread in order to execute code in rundll32.exe.

Named Pipes – Two named pipes were created in order to establish inter-process communications (IPC) between rundll32.exe and wabmig.exe.


Credential Access


A remote service was created on one of the workstations in order to dump lsass.

Event 7045 from Service Control Manager

C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\programdata\lsass.dmp


The first discovery stage includes TTPs that we have seen in multiple cases, such as trusts discovery, domain admin group discovery, network discovery and process enumeration.

C:\Program Files\Windows Mail\wabmig.exe   
  ➝ C:\Windows\system32\cmd.exe /C ipconfig /all
  ➝ C:\Windows\system32\cmd.exe /C ping -n 1 <REDACTED_DOMAIN_NAME>
  ➝ C:\Windows\system32\cmd.exe /C nltest /dclist:
  ➝ C:\Windows\system32\cmd.exe /C nltest /domain_trusts
  ➝ C:\Windows\system32\cmd.exe /C net group "domain admins" /domain
  ➝ C:\Windows\system32\cmd.exe /C tasklist /v /s <REDACTED_IP>


AdFind.exe was renamed to af.exe and was used by threat actors in order to enumerate AD users, computers, OU, trusts, subnets and groups.

C:\Program Files\Windows Mail\wabmig.exe  
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "(objectcategory=person)" > ad_users.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "objectcategory=computer" > ad_computers.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "(objectcategory=organizationalUnit)" > ad_ous.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -sc trustdmp > trustdmp.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -subnets -f (objectCategory=subnet) > subnets.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -f "(objectcategory=group)" > ad_group.txt
  ➝ C:\Windows\system32\cmd.exe /C af.exe -gcb -sc trustdmp > trustdmp.txt


Lateral Movement

The threat actor was observed moving via RDP throughout the network with a Domain Admin account.

As mentioned in Credential Access, the threat actor used remote services to execute commands on remote hosts.

SMB was used to transfer the various tools laterally, as needed in the environment, like procdump.exe and AnyDesk executables.


The threat actor accessed multiple documents and folders from a remote file server. The SMB share was accessed through a compromised server via an AnyDesk session.

The lsass dump file ran remotely, was copied to the beachhead through the admin share C$.

After being copied, the file was zipped using 7za.exe (7-zip), in preparation for exfiltration.

C:\Program Files\Windows Mail\wabmig.exe 
  ➝ C:\Windows\system32\cmd.exe /C copy \\<REMOTE_WORKSTATION>\C$\ProgramData\lsass.dmp c:\programdata\lsass.dmp
  ➝ C:\Windows\system32\cmd.exe /C 7za.exe a -tzip -mx5 c:\programdata\lsass.zip c:\programdata\lsass.dmp

Command and Control


JA3: c12f54a3f91dc7bafd92cb59fe009a35
JA3s: 76c691f46143bf86e2d1bb73c6187767

Certificate: [ac:18:a0:22:b2:ef:65:c8:85:5e:1f:eb:f5:35:23:28:89:3a:5d:f9]
Not Before: 2022/05/19 07:40:24 UTC 
Not After: 2023/05/19 07:40:24 UTC 
Issuer Org: Internet Widgits Pty Ltd 
Subject Org: Internet Widgits Pty Ltd 
Public Algorithm: rsaEncryption

Certificate: [0f:a6:76:b0:de:4c:f6:5e:a8:35:60:94:60:69:2c:2c:9c:cb:11:5c]
Not Before: 2022/05/19 07:48:30 UTC 
Not After: 2023/05/19 07:48:30 UTC 
Issuer Org: Internet Widgits Pty Ltd 
Subject Org: Internet Widgits Pty Ltd 
Public Algorithm: rsaEncryptiion



JA3: ce5f3254611a8c095a3d821d44539877
JA3s: ec74a5c51106f0419184d0dd08fb05bc

Certificate: [e5:a3:1d:28:ee:34:4f:9d:99:b8:a9:6e:b4:a9:d0:1f:63:43:3c:ac ]
Not Before: 2021/05/03 23:37:39 UTC 
Not After: 2027/05/02 23:37:39 UTC 
Issuer Org: Stracke, Lakin and Windler 
Subject Common: stracke.lakin.windler.net 
Subject Org: Stracke, Lakin and Windler 
Public Algorithm: rsaEncryption

Certificate: [84:38:01:51:ba:46:74:89:b3:2a:67:57:b7:a1:4a:5b:49:4a:b9:03 ]
Not Before: 2020/03/19 06:49:58 UTC 
Not After: 2026/03/18 06:49:58 UTC 
Issuer Org: Reilly-Carroll 
Subject Common: reilly.carroll.com 
Subject Org: Reilly-Carroll 
Public Algorithm: rsaEncryption


JA3: ce5f3254611a8c095a3d821d44539877
JA3s: ec74a5c51106f0419184d0dd08fb05bc

Certificate: [6c:0e:6d:6e:d8:06:92:c6:9a:13:2a:ee:d7:8c:9d:15:63:5e:e9:f2]
Not Before: 2020/09/03 16:14:07 UTC 
Not After: 2024/09/02 16:14:07 UTC 
Issuer Org: Jerde-Kreiger 
Subject Common: jerde.kreiger.info 
Subject Org: Jerde-Kreiger 
Public Algorithm: rsaEncryption

Cobalt Strike

This C2 server was observed in a previous BumbleBee case.


JA3: a0e9f5d64349fb13191bc781f81f42e1
JA3s: ae4edc6faf64d08308082ad26be60767

Certificate: [6c:54:cc:ce:ca:da:8b:d3:12:98:13:d5:85:52:81:8a:9d:74:4f:fb]
Not Before: 2022/04/15 00:00:00 UTC 
Not After: 2023/04/15 23:59:59 UTC 
Issuer Org: Sectigo Limited 
Subject Common: fuvataren.com [fuvataren.com ,www.fuvataren.com]
Public Algorithm: rsaEncryption


  "beacontype": [
  "sleeptime": 5000,
  "jitter": 24,
  "maxgetsize": 1398708,
  "license_id": 1580103814,
  "cfg_caution": false,
  "kill_date": null,
  "server": {
    "hostname": "fuvataren.com",
    "port": 443,
    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC5eYxmuxksHBu5Hqtk11PJye1th52fYvmUXmFrL1vEIQs9+B5NI7a6bHbSHSRN1hRJN2VQ9iwpF/11IFitmWKEbFIErjX1YCy1/1Eg+EawN4l2ReZ9lz1A9wIDUtQb8fAFYRCSn72Gzb+Pax1VKLt4Kx3QJrpduOhx4q4rdvahPQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="                                                                                                      
  "host_header": "",
  "useragent_header": null,
  "http-get": {
    "uri": "/rs.js",
    "verb": "GET",
    "client": {
      "headers": null,
      "metadata": null
    "server": {
      "output": [
        "prepend 600 characters",
  "http-post": {
    "uri": "/en",
    "verb": "POST",
    "client": {
      "headers": null,
      "id": null,
      "output": null
  "crypto_scheme": 0,
  "proxy": {
    "type": null,
    "username": null,
    "password": null,
    "behavior": "Use IE settings"
  "http_post_chunk": 0,
  "uses_cookies": true,
  "post-ex": {
    "spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
    "spawnto_x64": "%windir%\\sysnative\\rundll32.exe"
  "process-inject": {
    "allocator": "VirtualAllocEx",
    "execute": [
    "min_alloc": 11977,
    "startrwx": false,
    "stub": "tUr+Aexqde3zXhpE+L05KQ==",
    "transform-x86": [
      "prepend '\\x90\\x90\\x90\\x90\\x90\\x90'"
    "transform-x64": [
      "prepend '\\x90\\x90\\x90\\x90\\x90\\x90'"
    "userwx": false
  "dns-beacon": {
    "dns_idle": null,
    "dns_sleep": null,
    "maxdns": null,
    "beacon": null,
    "get_A": null,
    "get_AAAA": null,
    "get_TXT": null,
    "put_metadata": null,
    "put_output": null
  "pipename": null,
  "stage": {
    "cleanup": true
  "ssh": {
    "hostname": null,
    "port": null,
    "username": null,
    "password": null,
    "privatekey": null


AnyDesk was installed to facilitate interactive desktop command and control access to a server in the environment.

Reviewing the ad_svc.trace logs from Anydesk located in %programdata%\AnyDesk reveal the logins originating from This was again the same IP observered in the prior Bumblebee case.

info REDACTED 19:07:21.173 gsvc 1160 408 24 anynet.any_socket - Logged in from on relay dafa4c5b.
info REDACTED 19:27:45.255 gsvc 1160 408 41 anynet.any_socket - Logged in from on relay dafa4c5b.

The Client-ID observed in the logs was 892647610

info REDACTED 18:56:00.723 lsvc 5924 5928 2 anynet.connection_mgr - New user data. Client-ID: 892647610


No exfiltration methods were observed beyond the established command and control channels, which can be assessed as likely used to take data like the lsass dump out of the network.


The threat actors were evicted from the network before any further impact.




Cobalt Strike







The threat actor delivers the BumbleBee loader in the form of a DLL (tamirlan.dll) via an ISO file named document.iso and tricks a user into executing it via an LNK (document.lnk).

The threat actor dumps lsass using procdump and copies it over an admin share before using 7zip to zip it.
BumbleBee is used to load both Meterpreter and Cobalt Strike into memory and communicate with the C2 server.



ET USER_AGENTS AnyDesk Remote Desktop Software User-Agent
ET POLICY SSL/TLS Certificate Observed (AnyDesk Remote Desktop Software)
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET POLICY SMB Executable File Transfer



title: BumbleBee WmiPrvSE execution pattern
id: 1620db43-fde5-45f3-b4d9-45ca6e79e047
status: Experimental
description: Detects BumbleBee WmiPrvSE parent process manipulation 
author:  TheDFIRReport
  - https://thedfirreport.com/
date: 2022/09/26
  category: process_creation
  product: windows
      - 'ImagingDevices.exe'
      - 'wabmig.exe'
      - 'WmiPrvSE.exe'
  condition: selection_image and selection_parent
  - Unknown
level: high
  - attack.defense_evasion
  - attack.t1036


   YARA Rule Set
   Author: The DFIR Report
   Date: 2022-09-26
   Identifier: Case 14373 BumbleBee
   Reference: https://thedfirreport.com/

/* Rule Set ----------------------------------------------------------------- */

rule case_14373_bumblebee_document_iso {
      description = "Files - file document.iso"
      author = "The DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2022-09-26"
      hash1 = "11bce4f2dcdc2c1992fddefb109e3ddad384b5171786a1daaddadc83be25f355"
      $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide
      $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
      $s3 = "xotgug064ka8.dll" fullword ascii
      $s4 = "tamirlan.dll" fullword wide
      $s5 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
      $s6 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s7 = "claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote damage far use fairly allocation lever ne" ascii
      $s8 = "documents.lnk" fullword wide
      $s9 = "4System32" fullword wide
      $s12 = " Type Descriptor'" fullword ascii
      $s13 = "YP^WTS]V[WPTWR_\\P[]WX_SPYQ[SQ]]UWTU]QR\\UQR]]\\\\^]UZUX\\X^U]P_^S[ZY^R^]UXWZURR\\]X[^TX\\S\\SWV_[YXP_[^^\\WW\\]]]PU_YZ\\]SVPQX[" ascii
      $s14 = "494[/D59:" fullword ascii /* hex encoded string 'IMY' */
      $s16 = "?+7,*[email protected]" fullword ascii /* hex encoded string 'v$' */
      $s17 = "[email protected]=" fullword ascii /* hex encoded string 'ghc' */
      $s18 = "*;+273++C" fullword ascii /* hex encoded string ''<' */
      $s19 = "*:>?2-:[email protected]>5D+" fullword ascii /* hex encoded string '.]' */
      uint16(0) == 0x0000 and filesize < 8000KB and
      1 of ($x*) and 4 of them

rule case_14373_bumblebee_tamirlan_dll {
      description = "Files - file tamirlan.dll"
      author = "The DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2022-09-26"
      hash1 = "123f96ff0a583d507439f79033ba4f5aa28cf43c5f2c093ac2445aaebdcfd31b"
      $s1 = "xotgug064ka8.dll" fullword ascii
      $s2 = "        <requestedExecutionLevel level='asInvoker' uiAccess='false' />" fullword ascii
      $s3 = "claims indebted fires plastic naturalist deduction meaningless yielded automatic wrote damage far use fairly allocation lever ne" ascii
      $s6 = " Type Descriptor'" fullword ascii
      $s7 = "YP^WTS]V[WPTWR_\\P[]WX_SPYQ[SQ]]UWTU]QR\\UQR]]\\\\^]UZUX\\X^U]P_^S[ZY^R^]UXWZURR\\]X[^TX\\S\\SWV_[YXP_[^^\\WW\\]]]PU_YZ\\]SVPQX[" ascii
      $s8 = "494[/D59:" fullword ascii /* hex encoded string 'IMY' */
      $s10 = "?+7,*[email protected]" fullword ascii /* hex encoded string 'v$' */
      $s11 = "[email protected]=" fullword ascii /* hex encoded string 'ghc' */
      $s12 = "*;+273++C" fullword ascii /* hex encoded string ''<' */
      $s13 = "*:>?2-:[email protected]>5D+" fullword ascii /* hex encoded string '.]' */
      $s19 = "PQP]^__\\ZZUSZYT_^S_SPPV]\\XPT_TPQU\\VWZQYZPZ^]]SW]R^[WYP]^[[R_RTSPYW^WU^QVPZ" fullword ascii
      $s20 = "Y]_QU\\ZQQSXRX[SPYVRWXU^P[VSSWUR]]PSWV\\X]Y[PX_UZ_PPP[WQVXY^^]^RRSPZ]^XWV^]" fullword ascii
      uint16(0) == 0x5a4d and filesize < 3000KB and
      8 of them

rule case_14373_bumblebee_documents_lnk {
      description = "Files - file documents.lnk"
      author = "The DFIR Report"
      reference = "https://thedfirreport.com/"
      date = "2022-09-26"
      hash1 = "cadd3f05b496ef137566c90c8fee3905ff13e8bda086b2f0d3cf7512092b541c"
      $x1 = "tamirlan.dll,EdHVntqdWt\"%systemroot%\\system32\\imageres.dll" fullword wide
      $s2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
      $s3 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
      $s4 = "4System32" fullword wide
      $s5 = "user-pc" fullword ascii
      $s6 = "}Windows" fullword wide
      uint16(0) == 0x004c and filesize < 4KB and
      1 of ($x*) and all of them


Mark-of-the-Web Bypass - T1553.005
User Execution - T1204
Rundll32 - T1218.011
Masquerading - T1036
Local Account - T1136.001
LSASS Memory - T1003.001
Archive via Utility - T1560.001
Archive Collected Data - T1560
Service Execution - T1569.002
Process Discovery - T1057
System Network Configuration Discovery - T1016
Domain Trust Discovery - T1482
Domain Groups - T1069.002
SMB/Windows Admin Shares - T1021.002
Lateral Tool Transfer - T1570
Remote Desktop Protocol - T1021.001
Web Protocols - T1071.001
Remote Access Software - T1219
Process Injection - T1055

Internal case #14373