Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

required d...ts.iso

windows7-x64

3

required d...ts.iso

windows10-2004-x64

3

OUBcVbISpNCsLG.bat

windows7-x64

10

OUBcVbISpNCsLG.bat

windows10-2004-x64

10

documents.lnk

windows7-x64

10

documents.lnk

windows10-2004-x64

10

lXNqexIxTwBWAS.dll

windows7-x64

3

lXNqexIxTwBWAS.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2022, 15:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OUBcVbISpNCsLG.bat

  • Size

    1KB

  • MD5

    242b45ffc92adbcc688bbba8e9fb4c89

  • SHA1

    a4edae5f16f1788ff43c7dfc328753308738af58

  • SHA256

    8daa11b913b572783934fde9e047bd2a3112dc5a7a35720ca1e3cb3cd74ce84a

  • SHA512

    2771f636e046302bdf18e568901b52ed61d5cd9db3b226cc6bd900999cd10236e17c9c5cfb874e1e3a001cb5f5c1f4a84b445480018ff4e38433f77da4f3f5e3

Score
10/10
bumblebee2510evasiontrojan

Malware Config

Extracted

Family

bumblebee

Botnet

2510

C2

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443
rc4.plain
1
eCUmnQerTx

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OUBcVbISpNCsLG.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\system32\rundll32.exe
      rundll32 lXNqexIxTwBWAS.dll,newrequest
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4436

Network

    No results found
  • 178.79.208.1:80
    322 B
     7
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4436-133-0x000002C230DD0000-0x000002C230F23000-memory.dmp

    Filesize

    1.3MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.