Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

TA580_2022...LY.bat

windows7-x64

10

TA580_2022...LY.bat

windows10-2004-x64

10

TA580_2022...Aj.dll

windows7-x64

10

TA580_2022...Aj.dll

windows10-2004-x64

10

TA580_2022...ls.lnk

windows7-x64

10

TA580_2022...ls.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    129s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    14/11/2022, 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TA580_20221114.zip/project details.lnk

  • Size

    995B

  • MD5

    36c88fc4dad628187c082ebd899d448e

  • SHA1

    6e27840f65ed3cc3c2b7af6778219e8681e3ec7a

  • SHA256

    e420fc11b53ca2553521adf57668118b494cee687f54f64e79a5558f7a34c30f

  • SHA512

    7709b7f348b56889a579da6b4efcc52d73372f3bcc4e0a93c721f6fb76540fc26f2f4aabad36385d291ef804e95efff9dc20bd7bc4e468117cfa29dd47ace6b5

Score
10/10
bumblebee1411trojan

Malware Config

Extracted

Family

bumblebee

Botnet

1411

C2

107.189.13.247:443

64.44.102.241:443

54.37.130.24:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Blocklisted process makes network request 5 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\TA580_20221114.zip\project details.lnk"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c DDmEtxgXtOVOLY.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\system32\rundll32.exe
        rundll32 aGySCShDWxUsAj.dll,LoadNode
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        PID:836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/836-93-0x0000000001F50000-0x0000000002099000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/836-94-0x0000000001C70000-0x0000000001CE8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/864-54-0x000007FEFB931000-0x000007FEFB933000-memory.dmp

    Filesize

    8KB

    Download