bumblebee | e731a9904849499018e7761354c7eee9ffd8bd68f32a4eaad75311e342066ac7

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2022 20:17

Target

DyNNDCUAhTtInE.bat
Size

965B
MD5

b6726f389f6192bb504b25d644177e3e
SHA1

a33967710afae845d5eada41676719960cc45c18
SHA256

7738c3502abeefb6d032cc88768c4d6370bc1fd250b2c9575646de56c463d721
SHA512

08da51dd0e0b834e11d23a6fc040af31a90b575a2b8d4603820ab01017af3018a37c25b1072a1eb89e5c0463c6cb0846f597316631a2755b2202961c08905d95

Score

10^/10

Family

bumblebee

Botnet

1711

193.200.16.175:443

54.37.130.195:443

64.44.97.58:443

rc4.plain

Blocklisted process makes network request 6 IoCs

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
4656	rundll32.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3440 wrote to memory of 4656	3440	cmd.exe	81
PID 3440 wrote to memory of 4656	3440	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DyNNDCUAhTtInE.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3440
- C:\Windows\system32\rundll32.exe
  rundll32 aBZbMXVgKCtmcQ.dll,CheckSettings
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of NtCreateThreadExHideFromDebugger
  PID:4656

memory/4656-133-0x000002F006230000-0x000002F006379000-memory.dmp

Filesize
1.3MB

Download
memory/4656-134-0x000002F005F20000-0x000002F005F98000-memory.dmp

Filesize
480KB

Download