bumblebee | 30e5932e9173ed92579dc6549149d37cf949e3276d6ca33e7c224ae8546098b3

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-11-2022 16:19

Target

RzTgomzVMyYvLc.bat
Size

1KB
MD5

44852447be8fb0979b630e4ce2f23311
SHA1

0d5bdc0eb82c3b0cccbd89d9c656108f5eb741f6
SHA256

d8da10ca4550a74f46f890ff2165044d95e1c0c7f97078b4c128a8399cf96e87
SHA512

8eadde672ebf7e51816a117913bb977d90591ab26efe210e3d88fe72297f3c1facbee663119ecf14b9d731be6f1d96e2925f197578f2dab3154be394fb24f778

Score

10^/10

Family

bumblebee

Botnet

1011

104.219.233.38:443

192.119.120.22:443

146.59.116.242:443

rc4.plain

Blocklisted process makes network request 7 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
936	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 936	1900	cmd.exe	28
PID 1900 wrote to memory of 936	1900	cmd.exe	28
PID 1900 wrote to memory of 936	1900	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RzTgomzVMyYvLc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\Windows\system32\rundll32.exe
  rundll32 nCguwHABqhXZAo.dll,mruAlloc
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:936

memory/936-55-0x0000000001F50000-0x0000000002099000-memory.dmp

Filesize
1.3MB

Download
memory/936-56-0x0000000001D90000-0x0000000001E03000-memory.dmp

Filesize
460KB

Download