Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
162s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
31/10/2022, 19:01
Static task
static1
Behavioral task
behavioral1
Sample
YBnruijYBbnbMK.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
YBnruijYBbnbMK.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
required documents.lnk
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
required documents.lnk
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
vEzFDEkEeKmEBW.dll
Resource
win7-20220812-en
General
-
Target
YBnruijYBbnbMK.bat
-
Size
1KB
-
MD5
76bdd5d90645d4d05142e52c32ba5691
-
SHA1
a7a8427a3333e9aa4bc4f1afe2003c30d489384c
-
SHA256
872a7741ca7f2cac261346385be38b91a582ec26c4160472b7b8769da884a55d
-
SHA512
083d71cae8b0eec7c31cfbca1f2b71ce20d7c3632ff345d154fa071348d4bef3e660abd3bd854470100e38ee4de967ba3814d1ee906e7299db20626c15fa8c1b
Malware Config
Extracted
bumblebee
2710vm
23.106.160.141:443
198.98.56.242:443
104.244.77.61:443
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 2 1728 rundll32.exe 3 1728 rundll32.exe 4 1728 rundll32.exe 5 1728 rundll32.exe 6 1728 rundll32.exe 7 1728 rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 1728 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 580 wrote to memory of 1728 580 cmd.exe 29 PID 580 wrote to memory of 1728 580 cmd.exe 29 PID 580 wrote to memory of 1728 580 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\YBnruijYBbnbMK.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\system32\rundll32.exerundll32 vEzFDEkEeKmEBW.dll,AppLoad2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:1728
-