bumblebee | e731a9904849499018e7761354c7eee9ffd8bd68f32a4eaad75311e342066ac7

Analysis

max time kernel
131s
max time network
144s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
17-11-2022 20:17

Target

DyNNDCUAhTtInE.bat
Size

965B
MD5

b6726f389f6192bb504b25d644177e3e
SHA1

a33967710afae845d5eada41676719960cc45c18
SHA256

7738c3502abeefb6d032cc88768c4d6370bc1fd250b2c9575646de56c463d721
SHA512

08da51dd0e0b834e11d23a6fc040af31a90b575a2b8d4603820ab01017af3018a37c25b1072a1eb89e5c0463c6cb0846f597316631a2755b2202961c08905d95

Score

10^/10

Family

bumblebee

Botnet

1711

193.200.16.175:443

54.37.130.195:443

64.44.97.58:443

rc4.plain

Blocklisted process makes network request 5 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
884	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 884	1208	cmd.exe	28
PID 1208 wrote to memory of 884	1208	cmd.exe	28
PID 1208 wrote to memory of 884	1208	cmd.exe	28

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DyNNDCUAhTtInE.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\rundll32.exe
  rundll32 aBZbMXVgKCtmcQ.dll,CheckSettings
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:884

memory/884-55-0x0000000001F20000-0x0000000002069000-memory.dmp

Filesize
1.3MB

Download
memory/884-56-0x00000000002A0000-0x0000000000318000-memory.dmp

Filesize
480KB

Download
memory/884-57-0x00000000002A0000-0x0000000000318000-memory.dmp

Filesize
480KB

Download