Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

cfgtbvh.exe

windows10-2004-x64

10

Resubmissions

05/04/2023, 07:25

230405-h87mfaed2x 10

04/04/2023, 22:20

230404-183btscc4v 10

Analysis

  • max time kernel
    1800s
  • max time network
    1796s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2023, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cfgtbvh.exe

  • Size

    237KB

  • MD5

    51b3cddd75069bda9deb36fd539442e2

  • SHA1

    a5183c20f329a3ea3726ce2c8300b0f2654ab531

  • SHA256

    f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9

  • SHA512

    50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c

  • SSDEEP

    6144:DL3v+mWnRzxvqRYwqgft1rSVsMAdaV/BaW:D7v+myRtqRYRgX20di/F

Score
10/10
bumblebeerhadamanthyssmokeloaderinstpub4BumbleBeebackdoorcollectionstealertrojan

Malware Config

Extracted

Family

smokeloader

Botnet

pub4

Extracted

Family

smokeloader

Version

2022

C2

http://aapu.at/tmp/

http://poudineh.com/tmp/

http://firsttrusteedrx.ru/tmp/

http://kingpirate.ru/tmp/
rc4.i32
rc4.i32

Extracted

Family

bumblebee

Botnet

inst

C2

194.15.216.247:443

23.106.215.141:443

104.168.244.96:443

51.83.255.85:443

192.119.81.86:443
rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a webshell malware written in C++.

    trojanbumblebee
  • Detect rhadamanthys stealer shellcode 4 IoCs
  • Detects win.bumblebee. 3 IoCs

    Detects BumbleBee Payload.

    BumbleBee
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cfgtbvh.exe
    "C:\Users\Admin\AppData\Local\Temp\cfgtbvh.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1680
  • C:\Users\Admin\AppData\Local\Temp\CC4D.exe
    C:\Users\Admin\AppData\Local\Temp\CC4D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4672
    • C:\Windows\system32\dllhost.exe
      "C:\Windows\system32\dllhost.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Checks processor information in registry
      • outlook_office_path
      • outlook_win_path
      PID:1932
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4672 -s 728
      2⤵
      • Program crash
      PID:2332
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4672 -ip 4672
    1⤵
      PID:5080
    • C:\Users\Admin\AppData\Local\Temp\3693.exe
      C:\Users\Admin\AppData\Local\Temp\3693.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of NtCreateThreadExHideFromDebugger
      PID:2468
    • C:\Users\Admin\AppData\Roaming\gvafvhc
      C:\Users\Admin\AppData\Roaming\gvafvhc
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2500
    • C:\Users\Admin\AppData\Roaming\gvafvhc
      C:\Users\Admin\AppData\Roaming\gvafvhc
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:4060
    • C:\Users\Admin\AppData\Roaming\gvafvhc
      C:\Users\Admin\AppData\Roaming\gvafvhc
      1⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:2748

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\3693.exe
      Filesize

      1.6MB

      MD5

      1eb4bd24c3d02a38a333eaeee4b9b49d

      SHA1

      3c85c03088b07bfcbbe969af0cbdde9bd26e69d8

      SHA256

      35f2ec59313bbe5b78e4b043f06f8961f6f3e77b870544d15ee7cc1fca987d8c

      SHA512

      3581aa74972f21bf22191181a9db68ec6db1071b153ee4a40519129b34c6be3cdbe32e3a65d4ad64f20bd224fb2d2f91e72139b250b69a0c80456f80a3c2cff5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3693.exe
      Filesize

      1.6MB

      MD5

      1eb4bd24c3d02a38a333eaeee4b9b49d

      SHA1

      3c85c03088b07bfcbbe969af0cbdde9bd26e69d8

      SHA256

      35f2ec59313bbe5b78e4b043f06f8961f6f3e77b870544d15ee7cc1fca987d8c

      SHA512

      3581aa74972f21bf22191181a9db68ec6db1071b153ee4a40519129b34c6be3cdbe32e3a65d4ad64f20bd224fb2d2f91e72139b250b69a0c80456f80a3c2cff5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CC4D.exe
      Filesize

      273KB

      MD5

      9cd6224b6ba301601ffe3fee81c5e287

      SHA1

      7579d8bc7349029572179f446aa0851bcdd99a97

      SHA256

      4ae5240ae6b5a8d2cdea30394ed31319bbd703e906b6ecdf009769d8defcd9d8

      SHA512

      6d50408beaef63dc159be894c38572b54fe92a78c41ea1eb6556e34af2332a391e5d5a8c8d1264656e4e4af06c84c9e3c093d6d232795ccdd6a735f4c10cb758

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CC4D.exe
      Filesize

      273KB

      MD5

      9cd6224b6ba301601ffe3fee81c5e287

      SHA1

      7579d8bc7349029572179f446aa0851bcdd99a97

      SHA256

      4ae5240ae6b5a8d2cdea30394ed31319bbd703e906b6ecdf009769d8defcd9d8

      SHA512

      6d50408beaef63dc159be894c38572b54fe92a78c41ea1eb6556e34af2332a391e5d5a8c8d1264656e4e4af06c84c9e3c093d6d232795ccdd6a735f4c10cb758

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gvafvhc
      Filesize

      237KB

      MD5

      51b3cddd75069bda9deb36fd539442e2

      SHA1

      a5183c20f329a3ea3726ce2c8300b0f2654ab531

      SHA256

      f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9

      SHA512

      50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gvafvhc
      Filesize

      237KB

      MD5

      51b3cddd75069bda9deb36fd539442e2

      SHA1

      a5183c20f329a3ea3726ce2c8300b0f2654ab531

      SHA256

      f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9

      SHA512

      50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gvafvhc
      Filesize

      237KB

      MD5

      51b3cddd75069bda9deb36fd539442e2

      SHA1

      a5183c20f329a3ea3726ce2c8300b0f2654ab531

      SHA256

      f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9

      SHA512

      50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gvafvhc
      Filesize

      237KB

      MD5

      51b3cddd75069bda9deb36fd539442e2

      SHA1

      a5183c20f329a3ea3726ce2c8300b0f2654ab531

      SHA256

      f0098ef0f31aa50b097bfb3ac7e420c518a697394a0ffed54640a55045263fa9

      SHA512

      50e78682a53f0ef631e7faaf2892057b35e5895afee8d8520f2a3a49f99e239912bef67e8ebe70b099528b5a1753a06aad0675bc3dec64b9a2e7b605ced2d06c

      Download Submit

    • memory/1680-134-0x0000000000A80000-0x0000000000A89000-memory.dmp

      Filesize

      36KB

      Download

    • memory/1680-136-0x0000000000400000-0x00000000007EF000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/1932-155-0x000001DDAC6C0000-0x000001DDAC6C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1932-162-0x00007FF4918F0000-0x00007FF4919EA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1932-165-0x00007FF4918F0000-0x00007FF4919EA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1932-157-0x000001DDAC9D0000-0x000001DDAC9D7000-memory.dmp

      Filesize

      28KB

      Download

    • memory/1932-158-0x00007FF4918F0000-0x00007FF4919EA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1932-159-0x00007FF4918F0000-0x00007FF4919EA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1932-164-0x00007FF4918F0000-0x00007FF4919EA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/1932-163-0x00007FF4918F0000-0x00007FF4919EA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/2468-174-0x000001C863160000-0x000001C8632C1000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2468-176-0x000001C862F60000-0x000001C862FF2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2468-172-0x000001C863160000-0x000001C8632C1000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2468-175-0x000001C863160000-0x000001C8632C1000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/2500-178-0x0000000000400000-0x00000000007EF000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/2748-194-0x0000000000400000-0x00000000007EF000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/3248-191-0x0000000007FB0000-0x0000000007FC6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3248-135-0x00000000010E0000-0x00000000010F6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3248-184-0x0000000001090000-0x00000000010A6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3248-177-0x0000000008870000-0x0000000008886000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4060-187-0x0000000000400000-0x00000000007EF000-memory.dmp

      Filesize

      3.9MB

      Download

    • memory/4672-153-0x0000000000640000-0x0000000000642000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4672-148-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download

    • memory/4672-151-0x0000000002000000-0x000000000201C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4672-147-0x0000000000530000-0x000000000055E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4672-152-0x0000000002000000-0x000000000201C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4672-161-0x0000000002000000-0x000000000201C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4672-154-0x0000000002000000-0x000000000201C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/4672-156-0x0000000002040000-0x0000000002042000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4672-160-0x0000000000400000-0x00000000004B3000-memory.dmp

      Filesize

      716KB

      Download