bumblebee | a6a48f8c18172cd0acafce22a39fdc65a720aad346050a7ee1b20cd6a13bd3f8

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02-11-2022 17:35

Target

pBLiwECeuZiHFL.bat
Size

1KB
MD5

ff1583c2c367477eb0873a15201cbcee
SHA1

8e24b760fdfa2e45eccf800644749b5942f79b4f
SHA256

c4730df817cb9010496afb25668619249e8e93a64d860783c7a49675c7c4fe0b
SHA512

ed2b5744269509359be16ae35dc08b9eb2ca1c8e4876de3605f2a7486774d16cbf8207288ec9d82c34ddd49f81f903618d996d91df65ac5a46792b5036867a12

Score

10^/10

Family

bumblebee

Botnet

0211

176.223.165.119:443

51.75.63.234:443

104.168.171.189:443

rc4.plain

Blocklisted process makes network request 7 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1240	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1240	2000	cmd.exe	29
PID 2000 wrote to memory of 1240	2000	cmd.exe	29
PID 2000 wrote to memory of 1240	2000	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\pBLiwECeuZiHFL.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\system32\rundll32.exe
  rundll32 LDYwFaCKXIhkuX.dll,Qruncore
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1240

memory/1240-55-0x0000000001F60000-0x00000000020A9000-memory.dmp

Filesize
1.3MB

Download
memory/1240-56-0x0000000000470000-0x00000000004E6000-memory.dmp

Filesize
472KB

Download