bumblebee | 584d1a787374e437b050149ee9e1f891496db0d5e1f86bc08c1c3f003143bb80

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2022 21:01

Target

DKyVKmgVSvviRl.bat
Size

1KB
MD5

a3278817a228bfe014efa23c1f5ea606
SHA1

577b3550e9fae158aa5020c0e2eec4159657b261
SHA256

b00a6c38740aece0bf52e3ae04523ed03009908353709de8463580bb628c2c1e
SHA512

c74a1feac03c9a0cf7d9e53547cde5df06bafdde73d1bf1f289c42c9deb23c269f6a732a3de095e4f579b320adc7cd18568565c437f4d1b8db0ec3d2aedd269e

Score

10^/10

Family

bumblebee

Botnet

0411

192.119.120.146:443

54.37.131.10:443

146.70.139.252:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2200	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 2200	4664	cmd.exe	81
PID 4664 wrote to memory of 2200	4664	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DKyVKmgVSvviRl.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Windows\system32\rundll32.exe
  rundll32 aMLjTIhBvevLGx.dll,SendData
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:2200

memory/2200-133-0x000001FBA7610000-0x000001FBA7759000-memory.dmp

Filesize
1.3MB

Download
memory/2200-134-0x000001FBA7410000-0x000001FBA7486000-memory.dmp

Filesize
472KB

Download