bumblebee | 30e5932e9173ed92579dc6549149d37cf949e3276d6ca33e7c224ae8546098b3

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2022 16:19

Target

RzTgomzVMyYvLc.bat
Size

1KB
MD5

44852447be8fb0979b630e4ce2f23311
SHA1

0d5bdc0eb82c3b0cccbd89d9c656108f5eb741f6
SHA256

d8da10ca4550a74f46f890ff2165044d95e1c0c7f97078b4c128a8399cf96e87
SHA512

8eadde672ebf7e51816a117913bb977d90591ab26efe210e3d88fe72297f3c1facbee663119ecf14b9d731be6f1d96e2925f197578f2dab3154be394fb24f778

Score

10^/10

Family

bumblebee

Botnet

1011

104.219.233.38:443

192.119.120.22:443

146.59.116.242:443

rc4.plain

Blocklisted process makes network request 7 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4384	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4384	4656	cmd.exe	82
PID 4656 wrote to memory of 4384	4656	cmd.exe	82

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RzTgomzVMyYvLc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Windows\system32\rundll32.exe
  rundll32 nCguwHABqhXZAo.dll,mruAlloc
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:4384

memory/4384-133-0x000001DB96DB0000-0x000001DB96EF9000-memory.dmp

Filesize
1.3MB

Download
memory/4384-134-0x000001DB96BF0000-0x000001DB96C63000-memory.dmp

Filesize
460KB

Download