Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
01/11/2022, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
AxRHrzxRUiEjUG.bat
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
AxRHrzxRUiEjUG.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
XzdVAVxwxRDMJS.dll
Resource
win7-20220901-en
Behavioral task
behavioral4
Sample
XzdVAVxwxRDMJS.dll
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
required info.lnk
Resource
win7-20220812-en
General
-
Target
AxRHrzxRUiEjUG.bat
-
Size
1KB
-
MD5
02b5d8a62fd7a5418040d97f23e61b71
-
SHA1
a532270410388c0a38c66b733c40be871014dbef
-
SHA256
e42729d59278b7028d201e42f711d7da0690f3a1b9c52400c743a8fc403452cc
-
SHA512
cab809df72d506d3502e6ba1b58964f8333caa18a2ba205354b2ded296fcab610c71b1c4b96dbe757b4a2d290a36dbb766877393539c7d5d469dd8325646bbfc
Malware Config
Extracted
bumblebee
0111
102.151.221.33:443
104.244.77.61:443
212.114.52.124:443
23.106.160.141:443
198.98.56.242:443
23.108.57.5:443
Signatures
-
Blocklisted process makes network request 6 IoCs
flow pid Process 1 2020 rundll32.exe 3 2020 rundll32.exe 4 2020 rundll32.exe 5 2020 rundll32.exe 6 2020 rundll32.exe 7 2020 rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 2020 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1184 wrote to memory of 2020 1184 cmd.exe 28 PID 1184 wrote to memory of 2020 1184 cmd.exe 28 PID 1184 wrote to memory of 2020 1184 cmd.exe 28
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\AxRHrzxRUiEjUG.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\system32\rundll32.exerundll32 XzdVAVxwxRDMJS.dll,RemoveSettings2⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:2020
-