bumblebee | 584d1a787374e437b050149ee9e1f891496db0d5e1f86bc08c1c3f003143bb80

Analysis

max time kernel
129s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/11/2022, 21:01

Target

DKyVKmgVSvviRl.bat
Size

1KB
MD5

a3278817a228bfe014efa23c1f5ea606
SHA1

577b3550e9fae158aa5020c0e2eec4159657b261
SHA256

b00a6c38740aece0bf52e3ae04523ed03009908353709de8463580bb628c2c1e
SHA512

c74a1feac03c9a0cf7d9e53547cde5df06bafdde73d1bf1f289c42c9deb23c269f6a732a3de095e4f579b320adc7cd18568565c437f4d1b8db0ec3d2aedd269e

Score

10^/10

Family

bumblebee

Botnet

0411

192.119.120.146:443

54.37.131.10:443

146.70.139.252:443

rc4.plain

Blocklisted process makes network request 5 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1416	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1416	1468	cmd.exe	28
PID 1468 wrote to memory of 1416	1468	cmd.exe	28
PID 1468 wrote to memory of 1416	1468	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DKyVKmgVSvviRl.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\system32\rundll32.exe
  rundll32 aMLjTIhBvevLGx.dll,SendData
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1416

memory/1416-55-0x0000000001F00000-0x0000000002049000-memory.dmp

Filesize
1.3MB

Download
memory/1416-56-0x0000000001BB0000-0x0000000001C26000-memory.dmp

Filesize
472KB

Download