Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
required d...ts.iso
windows7-x64
3required d...ts.iso
windows10-2004-x64
3OUBcVbISpNCsLG.bat
windows7-x64
10OUBcVbISpNCsLG.bat
windows10-2004-x64
10documents.lnk
windows7-x64
10documents.lnk
windows10-2004-x64
10lXNqexIxTwBWAS.dll
windows7-x64
3lXNqexIxTwBWAS.dll
windows10-2004-x64
3Analysis
-
max time kernel
92s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
27/10/2022, 15:52
Static task
static1
Behavioral task
behavioral1
Sample
required documents.iso
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral2
Sample
required documents.iso
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
OUBcVbISpNCsLG.bat
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral4
Sample
OUBcVbISpNCsLG.bat
Resource
win10v2004-20220812-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
documents.lnk
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral6
Sample
documents.lnk
Resource
win10v2004-20220901-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
lXNqexIxTwBWAS.dll
Resource
win7-20220812-en
windows7-x64
Behavioral task
behavioral8
Sample
lXNqexIxTwBWAS.dll
Resource
win10v2004-20220812-en
windows10-2004-x64
General
-
Target
OUBcVbISpNCsLG.bat
-
Size
1KB
-
MD5
242b45ffc92adbcc688bbba8e9fb4c89
-
SHA1
a4edae5f16f1788ff43c7dfc328753308738af58
-
SHA256
8daa11b913b572783934fde9e047bd2a3112dc5a7a35720ca1e3cb3cd74ce84a
-
SHA512
2771f636e046302bdf18e568901b52ed61d5cd9db3b226cc6bd900999cd10236e17c9c5cfb874e1e3a001cb5f5c1f4a84b445480018ff4e38433f77da4f3f5e3
Malware Config
Extracted
bumblebee
2510
69.46.15.158:443
135.125.241.35:443
172.86.120.141:443
Signatures
-
Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxMouse rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxService rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxSF rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxVideo rundll32.exe -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\RSDT\VBOX__ rundll32.exe -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions rundll32.exe -
Checks BIOS information in registry 2 TTPs 3 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate rundll32.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Wine rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4436 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe 4436 rundll32.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3868 wrote to memory of 4436 3868 cmd.exe 82 PID 3868 wrote to memory of 4436 3868 cmd.exe 82
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\OUBcVbISpNCsLG.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\rundll32.exerundll32 lXNqexIxTwBWAS.dll,newrequest2⤵
- Enumerates VirtualBox registry keys
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4436
-