Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14/11/2022, 17:17
Static task
static1
Behavioral task
behavioral1
Sample
TA580_20221114.zip/DDmEtxgXtOVOLY.bat
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
TA580_20221114.zip/DDmEtxgXtOVOLY.bat
Resource
win10v2004-20220812-en
Behavioral task
behavioral3
Sample
TA580_20221114.zip/aGySCShDWxUsAj.dll
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
TA580_20221114.zip/aGySCShDWxUsAj.dll
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
TA580_20221114.zip/project details.lnk
Resource
win7-20220812-en
General
-
Target
TA580_20221114.zip/project details.lnk
-
Size
995B
-
MD5
36c88fc4dad628187c082ebd899d448e
-
SHA1
6e27840f65ed3cc3c2b7af6778219e8681e3ec7a
-
SHA256
e420fc11b53ca2553521adf57668118b494cee687f54f64e79a5558f7a34c30f
-
SHA512
7709b7f348b56889a579da6b4efcc52d73372f3bcc4e0a93c721f6fb76540fc26f2f4aabad36385d291ef804e95efff9dc20bd7bc4e468117cfa29dd47ace6b5
Malware Config
Extracted
bumblebee
1411
107.189.13.247:443
64.44.102.241:443
54.37.130.24:443
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 1 836 rundll32.exe 3 836 rundll32.exe 4 836 rundll32.exe 5 836 rundll32.exe 6 836 rundll32.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 836 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 864 wrote to memory of 1780 864 cmd.exe 28 PID 864 wrote to memory of 1780 864 cmd.exe 28 PID 864 wrote to memory of 1780 864 cmd.exe 28 PID 1780 wrote to memory of 836 1780 cmd.exe 29 PID 1780 wrote to memory of 836 1780 cmd.exe 29 PID 1780 wrote to memory of 836 1780 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\TA580_20221114.zip\project details.lnk"1⤵
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c DDmEtxgXtOVOLY.bat2⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\system32\rundll32.exerundll32 aGySCShDWxUsAj.dll,LoadNode3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:836
-
-