bumblebee | 44ed83c8c4c46d8311989ee46ee8cf044c709cccf89580b1758b21091fc44193

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
15/11/2022, 02:52

Target

malicious/HUeLjsrbrChRXV.bat
Size

1KB
MD5

834daa3583a380ed808b4b3f7cc53744
SHA1

70d878eff559dc9af26e2a3f27defa58a21a69b9
SHA256

344ec9189a2b37185cd0e5fa8c06b47daa10040fcc47e75d592e5e49874e8412
SHA512

6bb7c2740f0dd07a930935a0b683315fd6ce3645f44086fa326f80b309cd946778f2b7365b910c9b101e6a4a21866e4c4d2cc6a856243de47d7506ffdae019a1

Score

10^/10

Family

bumblebee

Botnet

1411

107.189.13.247:443

64.44.102.241:443

54.37.130.24:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
912	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 912	1768	cmd.exe	28
PID 1768 wrote to memory of 912	1768	cmd.exe	28
PID 1768 wrote to memory of 912	1768	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\malicious\HUeLjsrbrChRXV.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\system32\rundll32.exe
  rundll32 eXrZsNsGUlguMh.dll,LoadNode
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:912

memory/912-55-0x0000000001FB0000-0x00000000020F9000-memory.dmp

Filesize
1.3MB

Download
memory/912-56-0x0000000001C50000-0x0000000001CC8000-memory.dmp

Filesize
480KB

Download