Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Project re...ts.lnk

windows7_x64

10

Project re...ts.lnk

windows10-2004_x64

10

prjct.dll

windows7_x64

10

prjct.dll

windows10-2004_x64

10

prjct.rsp

windows7_x64

3

prjct.rsp

windows10-2004_x64

3

Resubmissions

13/10/2022, 05:26

221013-f44zmsagfm 10

13/10/2022, 05:21

221013-f2ft2abae7 1

05/07/2022, 20:58

220705-zsep6achfq 10

Analysis

  • max time kernel
    91s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05/07/2022, 20:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Project requirements.lnk

  • Size

    1KB

  • MD5

    6ca6a8b1a8d781bc91444dc2402d3f58

  • SHA1

    a66015ece818c3c35d0ae8a400ee9c102425186b

  • SHA256

    3926bec362d86edc8fcc4e283d6b93b21108d6b9d194de9fc1108df2944b0319

  • SHA512

    f778da9c3762ceb37b65c6ba6864e6158e44a99eb776108825c02b4bb56dc309ec4998eb66b053cff99984294f49365b6a50bf8e83e07ec58782a80fbdf5b2a9

Score
10/10
bumblebee407aevasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

407a

C2

106.30.10.152:200

159.107.119.196:466

249.250.158.148:322

202.77.46.110:494

34.34.152.166:165

244.76.41.194:324

134.179.38.71:422

103.175.16.49:443

16.249.204.133:158

231.217.204.87:289

165.84.157.60:302

209.198.142.251:182

78.0.144.134:330

117.17.41.72:459

126.76.167.19:201

217.8.253.10:398

209.141.41.46:443

18.151.45.13:359

97.85.151.94:372

221.184.92.249:392
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Project requirements.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3460
    • C:\Windows\System32\odbcconf.exe
      "C:\Windows\System32\odbcconf.exe" -f prjct.rsp
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4020

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4020-131-0x000002CA62D40000-0x000002CA62E56000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4020-132-0x00007FFA22A60000-0x00007FFA22A70000-memory.dmp

    Filesize

    64KB

    Download