Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
131s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230831-en -
resource tags
arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system -
submitted
14/09/2023, 07:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
hk1c9y18em.dll
Resource
win7-20230831-en
3 signatures
150 seconds
General
-
Target
hk1c9y18em.dll
-
Size
1.1MB
-
MD5
b7c42a2f6443f7efb2f005b05040a40a
-
SHA1
66e3ecc673fbb77c697a3b178a7458617de3d227
-
SHA256
8e04a2048e545d0faaf5d1e1c995c7b9529751e378b75c41f80c6682bd84e5aa
-
SHA512
fb802bb1fbffdadc38d0bf373a868deaa03a701d079715f3261f68e7c8f77881134f4bc8154bc68b8688d2f3711e6a6c382f0e64929c9bd1715ff2aee2b49aef
-
SSDEEP
24576:E40kaG+iDe5cMQW7v7+KIUC/ofj1fpLgN:E40kd+35cMv
Malware Config
Extracted
Family
bumblebee
Botnet
js1
rc4.plain
Signatures
-
Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
pid Process 2812 regsvr32.exe 2968 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2592 wrote to memory of 2968 2592 cmd.exe 34 PID 2592 wrote to memory of 2968 2592 cmd.exe 34 PID 2592 wrote to memory of 2968 2592 cmd.exe 34
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\hk1c9y18em.dll1⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:2812
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵PID:2496
-
C:\Windows\system32\cmd.exe"cmd.exe" /s /k pushd "C:\Users\Admin\AppData\Local\Temp"1⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\rundll32.exerundll32 hk1c9y18em.dll,DllRegisterServer2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
PID:2968
-