bumblebee | e107a5182ba2130a4f46d2825e5acf8f6e847c9beef055eead5baafbf86731f0

Analysis

max time kernel
146s
max time network
153s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-11-2022 18:06

Target

TDGxENRMCBkgkc.bat
Size

1KB
MD5

372223c90e92c1bd3333eb5175375d10
SHA1

bb4892289f99f41a5a56e18db703149ea80040f6
SHA256

7a2b6dcdba0158d583d37512ddcfe816d31124c3234498a5910dac141869ffdd
SHA512

010a7cce6c6c91c3716ec3dadfabb534c65a2a9e07b429b42ac62b3bcce1748f69d998d46370c36e2dccdac8e393e7b1681dd0aa09102fa7e416fcb56f9c0c87

Score

10^/10

Family

bumblebee

Botnet

1411

107.189.13.247:443

64.44.102.241:443

54.37.130.24:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
1672	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 1672	1076	cmd.exe	29
PID 1076 wrote to memory of 1672	1076	cmd.exe	29
PID 1076 wrote to memory of 1672	1076	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\TDGxENRMCBkgkc.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\system32\rundll32.exe
  rundll32 pFTLNjSsgkkKZo.dll,LoadNode
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:1672

memory/1672-55-0x0000000002010000-0x0000000002159000-memory.dmp

Filesize
1.3MB

Download
memory/1672-56-0x0000000001CA0000-0x0000000001D18000-memory.dmp

Filesize
480KB

Download