Analysis
-
max time kernel
143s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230831-en -
resource tags
arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system -
submitted
14-09-2023 09:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b8fc2474a801ea4b51df01d869c192cf430d72763758d8ca68cc43e318fdc7a0.dll
Resource
win7-20230831-en
2 signatures
150 seconds
General
-
Target
b8fc2474a801ea4b51df01d869c192cf430d72763758d8ca68cc43e318fdc7a0.dll
-
Size
1.1MB
-
MD5
9a05abe3e58b71abd91ba819bbe88846
-
SHA1
3cf06a801d3b061e6dfd7c0fd257778ce878d4d1
-
SHA256
b8fc2474a801ea4b51df01d869c192cf430d72763758d8ca68cc43e318fdc7a0
-
SHA512
c4a2a544527cf6d0fb909bdc8cf58eb3e4f3741ecba2578f0ec11ef69a4ca1713110ca1b3c8dc1f02c35ed4a241247abe042e725080dd0945cca3ba4c124a392
-
SSDEEP
24576:Vi1XU5dnViuxKLDjpZkECM513RshB80lPW6XmA:01cdnVkjq
Malware Config
Extracted
Family
bumblebee
Botnet
js1
rc4.plain
Signatures
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
regsvr32.exepid process 4624 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 5108 svchost.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\b8fc2474a801ea4b51df01d869c192cf430d72763758d8ca68cc43e318fdc7a0.dll1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:4624
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:4652
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108