bumblebee | c80de52d42e21278610b0516bfcf4ebda136a5696af3f60a5e5782911e4276d0

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14/11/2022, 17:17

Target

TA580_20221114.zip/DDmEtxgXtOVOLY.bat
Size

1KB
MD5

7d3bc8f7c05afe9f898ba052bd77d0ac
SHA1

59dee82b4be9a3d67a86cef3fea439b5c1f4e3ac
SHA256

71eb244220efc90f4a4a272117e00b9f7e975758b3c3bd1fc4cc28fae58173e5
SHA512

322dc1afb53d19f9cfe90951ea543241e29d34c51fe4d0e6bd23da46d778b489285debf3dd594f8e5007c511341e4515f14a521822009cc2864ca82773537075

Score

10^/10

Family

bumblebee

Botnet

1411

107.189.13.247:443

64.44.102.241:443

54.37.130.24:443

rc4.plain

Blocklisted process makes network request 5 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1696	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1696	1132	cmd.exe	28
PID 1132 wrote to memory of 1696	1132	cmd.exe	28
PID 1132 wrote to memory of 1696	1132	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TA580_20221114.zip\DDmEtxgXtOVOLY.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\system32\rundll32.exe
  rundll32 aGySCShDWxUsAj.dll,LoadNode
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1696

memory/1696-55-0x0000000001F90000-0x00000000020D9000-memory.dmp

Filesize
1.3MB

Download
memory/1696-56-0x0000000001C40000-0x0000000001CB8000-memory.dmp

Filesize
480KB

Download