Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/10/2022, 20:39 UTC

General

  • Target

    DETAILS.lnk

  • Size

    995B

  • MD5

    cadc4156a4d9e1c398f6eb54957a8c9b

  • SHA1

    2fe2e1366bfcb30249188043d14f6cb749292989

  • SHA256

    7e4816c16bd3766ccb4dba5e4dff725f3936233f8aff9cddb904347f17118cd7

  • SHA512

    88a8c007d791c7dccf500762a587dd4438da4c53253cb43588e7ac216cd77ba97d5f6d59559a671ebcc120b8f2ae2befc6e03d5f3b8024c8d529f5805058db4e

Malware Config

Extracted

Family

bumblebee

Botnet

1710

C2

198.98.59.245:443

146.19.173.148:443

45.61.185.227:443

rc4.plain
1
eCUmnQerTx

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\DETAILS.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4372
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c lZrFnyxCjMmiEL.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1448
      • C:\Windows\system32\rundll32.exe
        rundll32.exe HcDTvUxhMvlLtX.dll,FileUpload
        3⤵
        • Enumerates VirtualBox registry keys
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Looks for VirtualBox Guest Additions in registry
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        PID:4144

Network

    No results found
  • 8.253.208.113:80
    322 B
    7
  • 2.18.109.224:443
    322 B
    7
  • 20.42.73.25:443
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 87.248.202.1:80
    322 B
    7
  • 93.184.221.240:80
    322 B
    7
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4144-134-0x000001A27D7F0000-0x000001A27D943000-memory.dmp

    Filesize

    1.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.