Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    01/11/2022, 20:59

General

  • Target

    AxRHrzxRUiEjUG.bat

  • Size

    1KB

  • MD5

    02b5d8a62fd7a5418040d97f23e61b71

  • SHA1

    a532270410388c0a38c66b733c40be871014dbef

  • SHA256

    e42729d59278b7028d201e42f711d7da0690f3a1b9c52400c743a8fc403452cc

  • SHA512

    cab809df72d506d3502e6ba1b58964f8333caa18a2ba205354b2ded296fcab610c71b1c4b96dbe757b4a2d290a36dbb766877393539c7d5d469dd8325646bbfc

Score
10/10

Malware Config

Extracted

Family

bumblebee

Botnet

0111

C2

102.151.221.33:443

104.244.77.61:443

212.114.52.124:443

23.106.160.141:443

198.98.56.242:443

23.108.57.5:443

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

  • Blocklisted process makes network request 6 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\AxRHrzxRUiEjUG.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1184
    • C:\Windows\system32\rundll32.exe
      rundll32 XzdVAVxwxRDMJS.dll,RemoveSettings
      2⤵
      • Blocklisted process makes network request
      • Suspicious use of NtCreateThreadExHideFromDebugger
      PID:2020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2020-55-0x0000000002020000-0x0000000002169000-memory.dmp

    Filesize

    1.3MB

  • memory/2020-56-0x0000000000410000-0x0000000000486000-memory.dmp

    Filesize

    472KB