Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
91s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21/09/2022, 19:25
General
-
Target
gate.ps1
-
Size
197B
-
MD5
f6fb7d0f27c0f475c1c8e4ee5a926c0a
-
SHA1
81e71f0b5d07eae5d6adcaed5365131058747f34
-
SHA256
de4a414a2f1f7f52e1febf7246605fb2c3b5af4fe7dc9af482321e812da5a1eb
-
SHA512
fe4dc9d0e48805906e20e0d3d2565a24328171a597603baabb340c4b348f78db598746d088621ec758e690f92b0d0b5ee2bad1046855612b0008cd31d65b0b72
Malware Config
Extracted
bumblebee
1209
142.11.211.32:443
146.59.116.49:443
192.236.155.219:443
Signatures
-
BumbleBee
BumbleBee is a webshell malware written in C++.
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Loads dropped DLL 1 IoCs
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\gate.ps11⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Local\ebVPMo.bin,vcsfile2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD545f2a624cbbe8d161223c27b177a968e
SHA1954b8a64f3f02975929efde03d5d03db4df11f87
SHA2562352cdd577a7a365388143c58c8b854be107ff03da84453578f707f60c78ea31
SHA5120369024782981aca55cfb7a1411285b1b7422ca1ac0bcdfbaebf8ceb22fdc6be6a7a051fd025935d3f5791915dde1fb9c0a69375f81073e0a6b1aebfef072c3f
-
Filesize
2.8MB
MD545f2a624cbbe8d161223c27b177a968e
SHA1954b8a64f3f02975929efde03d5d03db4df11f87
SHA2562352cdd577a7a365388143c58c8b854be107ff03da84453578f707f60c78ea31
SHA5120369024782981aca55cfb7a1411285b1b7422ca1ac0bcdfbaebf8ceb22fdc6be6a7a051fd025935d3f5791915dde1fb9c0a69375f81073e0a6b1aebfef072c3f
-
Filesize
1.4MB
-
Filesize
136KB
-
Filesize
10.8MB
-
Filesize
10.8MB