Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    110s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/10/2022, 15:52 UTC

General

  • Target

    OUBcVbISpNCsLG.bat

  • Size

    1KB

  • MD5

    242b45ffc92adbcc688bbba8e9fb4c89

  • SHA1

    a4edae5f16f1788ff43c7dfc328753308738af58

  • SHA256

    8daa11b913b572783934fde9e047bd2a3112dc5a7a35720ca1e3cb3cd74ce84a

  • SHA512

    2771f636e046302bdf18e568901b52ed61d5cd9db3b226cc6bd900999cd10236e17c9c5cfb874e1e3a001cb5f5c1f4a84b445480018ff4e38433f77da4f3f5e3

Malware Config

Extracted

Family

bumblebee

Botnet

2510

C2

69.46.15.158:443

135.125.241.35:443

172.86.120.141:443

rc4.plain
1
eCUmnQerTx

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OUBcVbISpNCsLG.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\system32\rundll32.exe
      rundll32 lXNqexIxTwBWAS.dll,newrequest
      2⤵
      • Enumerates VirtualBox registry keys
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Looks for VirtualBox Guest Additions in registry
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:4436

Network

    No results found
  • 178.79.208.1:80
    322 B
    7
No results found

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4436-133-0x000002C230DD0000-0x000002C230F23000-memory.dmp

    Filesize

    1.3MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.