bumblebee | c80de52d42e21278610b0516bfcf4ebda136a5696af3f60a5e5782911e4276d0

Analysis

max time kernel
143s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2022 17:17

Target

TA580_20221114.zip/DDmEtxgXtOVOLY.bat
Size

1KB
MD5

7d3bc8f7c05afe9f898ba052bd77d0ac
SHA1

59dee82b4be9a3d67a86cef3fea439b5c1f4e3ac
SHA256

71eb244220efc90f4a4a272117e00b9f7e975758b3c3bd1fc4cc28fae58173e5
SHA512

322dc1afb53d19f9cfe90951ea543241e29d34c51fe4d0e6bd23da46d778b489285debf3dd594f8e5007c511341e4515f14a521822009cc2864ca82773537075

Score

10^/10

Family

bumblebee

Botnet

1411

107.189.13.247:443

64.44.102.241:443

54.37.130.24:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
3236	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3464 wrote to memory of 3236	3464	cmd.exe	81
PID 3464 wrote to memory of 3236	3464	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\TA580_20221114.zip\DDmEtxgXtOVOLY.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\system32\rundll32.exe
  rundll32 aGySCShDWxUsAj.dll,LoadNode
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:3236

memory/3236-133-0x0000017DE7970000-0x0000017DE7AB9000-memory.dmp

Filesize
1.3MB

Download
memory/3236-134-0x0000017DE76D0000-0x0000017DE7748000-memory.dmp

Filesize
480KB

Download