Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

Acrobat_DC...12.msi

windows7-x64

10

Acrobat_DC...12.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • submitted
    22/11/2024, 03:48 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Acrobat_DC_x64_VIP_v10.12.msi

  • Size

    2.7MB

  • MD5

    b9632555b2c19b9182cab9c098c22d8e

  • SHA1

    100d612540c51413141f52c3888114cddb76e9a0

  • SHA256

    1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2

  • SHA512

    b90b26af09115c4ad37f5cb40135de51835ccffbd666168934062fb587a9111fa535e21c1e231aed76a5e871d63a9f71b686367defed3d584f6d76f75e5acb52

  • SSDEEP

    49152:/O05mqQDiCjwnwVv+i2MF/NtSftHFDSy4dx21N+NfSf/wXoCBBUQZcUJ8+mp3gi/:/rABiCjwnwVmGF1t6R1j4dx8Njf/w4C2

Score
10/10
bumblebee138704discoveryloaderpersistenceprivilege_escalationupx

Malware Config

Extracted

Family

bumblebee

Botnet

138704

Attributes
  • dga

    45urhm0ldgxb.live

    gx6xly9rp6vl.live

    zv46ga4ntybq.live

    7n1hfolmrnbl.live

    vivh2xlt9i6q.live

    97t3nh4kk510.live

    kbkdtwucfl40.live

    qk6a1ahb63uz.live

    whko7loy7h5z.live

    dad1zg44n0bn.live

    7xwz4hw8dts9.live

    ovekd5n3gklq.live

    amwnef8mjo4v.live

    e7ivqfhnss0x.live

    rjql4nicl6bg.live

    4mo318kk29i4.live

    zpo18lm8vg1x.live

    jc51pt290y0n.live

    rg26t2dc4hf4.live

    qw9a58vunuja.live

    ugm94zjzl5nl.live

    mckag832orba.live

    pdw0v9voxlxr.live

    m4tx2apfmoxo.live

    n2uc737ef71m.live

    hkk3112645hz.live

    ugko9g5ipa4o.live

    8wgq2x4dybx9.live

    h81fx7sj8srr.live

    a4tgoqi1cm8x.live

  • dga_seed

    7834006444057268685

  • domain_length

    12

  • num_dga_domains

    300

  • port

    443

rc4.plain
1
NEW_BLACK

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 3 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Acrobat_DC_x64_VIP_v10.12.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3024
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:404
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1416
      • C:\Windows\system32\rundll32.exe
        "rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll",DllRegisterServer
        2⤵
        • Loads dropped DLL
        PID:2532
      • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3172
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:1344

    Network

    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      104.219.191.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      104.219.191.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      97.17.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      97.17.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      84.162.74.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      84.162.74.23.in-addr.arpa
      IN PTR
      Response
      84.162.74.23.in-addr.arpa
      IN PTR
      a23-74-162-84deploystaticakamaitechnologiescom
    • flag-us
      DNS
      use.typekit.net
      Reader_Install_Setup.exe
      Remote address:
      8.8.8.8:53
      Request
      use.typekit.net
      IN A
      Response
      use.typekit.net
      IN CNAME
      use-stls.adobe.com.edgesuite.net
      use-stls.adobe.com.edgesuite.net
      IN CNAME
      a1988.dscg1.akamai.net
      a1988.dscg1.akamai.net
      IN A
      23.56.238.58
      a1988.dscg1.akamai.net
      IN A
      23.56.238.83
    • flag-gb
      GET
      https://use.typekit.net/bxf0ivf.js
      Reader_Install_Setup.exe
      Remote address:
      23.56.238.58:443
      Request
      GET /bxf0ivf.js HTTP/1.1
      Accept: */*
      Accept-Language: en-US
      Accept-Encoding: gzip, deflate
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
      Host: use.typekit.net
      Connection: Keep-Alive
      Response
      HTTP/1.1 200 OK
      Server: nginx
      Content-Type: text/javascript;charset=utf-8
      Vary: Accept-Encoding
      Strict-Transport-Security: max-age=31536000; includeSubDomains;
      Timing-Allow-Origin: *
      Access-Control-Allow-Origin: *
      Cross-Origin-Resource-Policy: cross-origin
      Content-Encoding: gzip
      Content-Length: 6811
      Date: Fri, 22 Nov 2024 03:49:12 GMT
      Connection: keep-alive
    • flag-us
      DNS
      58.238.56.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.238.56.23.in-addr.arpa
      IN PTR
      Response
      58.238.56.23.in-addr.arpa
      IN PTR
      a23-56-238-58deploystaticakamaitechnologiescom
    • flag-us
      DNS
      212.20.149.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      212.20.149.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.42.69.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.42.69.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      83.121.18.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      83.121.18.2.in-addr.arpa
      IN PTR
      Response
      83.121.18.2.in-addr.arpa
      IN PTR
      a2-18-121-83deploystaticakamaitechnologiescom
    • flag-us
      DNS
      29.243.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      29.243.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      209.143.182.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.143.182.52.in-addr.arpa
      IN PTR
      Response
    • 23.56.238.58:443
      https://use.typekit.net/bxf0ivf.js
      tls, http
      Reader_Install_Setup.exe
      1.6kB
       13.1kB
       20
      17

      HTTP Request

      GET https://use.typekit.net/bxf0ivf.js

      HTTP Response

      200
    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
       90 B
       1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      104.219.191.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      104.219.191.52.in-addr.arpa

    • 8.8.8.8:53
      23.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      97.17.167.52.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      97.17.167.52.in-addr.arpa

    • 8.8.8.8:53
      84.162.74.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      84.162.74.23.in-addr.arpa

    • 8.8.8.8:53
      use.typekit.net
      dns
      Reader_Install_Setup.exe
      61 B
       169 B
       1
      1

      DNS Request

      use.typekit.net

      DNS Response

      23.56.238.58
      23.56.238.83

    • 8.8.8.8:53
      58.238.56.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      58.238.56.23.in-addr.arpa

    • 8.8.8.8:53
      212.20.149.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      212.20.149.52.in-addr.arpa

    • 8.8.8.8:53
      241.42.69.40.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      241.42.69.40.in-addr.arpa

    • 8.8.8.8:53
      83.121.18.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      83.121.18.2.in-addr.arpa

    • 8.8.8.8:53
      29.243.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      29.243.111.52.in-addr.arpa

    • 8.8.8.8:53
      209.143.182.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      209.143.182.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e5850cc.rbs
      Filesize

      8KB

      MD5

      9489260459ff77e479047fd8950865fc

      SHA1

      f7dd642f2fe6f53de0df6f6df9b7ac252594e32f

      SHA256

      34bd8e57c838d695a4ec7629342ac20dca8f15c159f192b612aca085ce6d7c0e

      SHA512

      d3ab26959c5818efc7f8574afba0da24247afc097844a5075d5d78bfcf62666d81358e13fe77b30c031598de2f22f40254bfcf71faaecc2fdfec73374fcabb8b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\Reader_Install_Setup.exe
      Filesize

      1.4MB

      MD5

      e4e96d377207c990295577e0ebd93f79

      SHA1

      6c6ed98b484f8a1a145ebe7d900df36fb4abc931

      SHA256

      ac6311039d5bfe719198c15577d3ee870185529f9510f5c0ddc066f1c8d8c462

      SHA512

      3db14a6f3dfa2e2768b1c25a65bc6f48c5dc763d80fee576cd7d0b21f3ecdcd25c0096b10c947f6b24999c23df75709604a4dc0fd1d894cdb1b9a556e1e6eaf7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Package Installation Dir\qpgEZsswIP.dll
      Filesize

      2.3MB

      MD5

      3cf367e01d074e622e14c36fe1685c0a

      SHA1

      f9b347b843f438564e606a7d3e273659e0fb7cc7

      SHA256

      2cb0aea0f3dfe49b99f5f7a0e6f6020413c916e4a21d05d2df1cca3de3e7e91d

      SHA512

      4033d7e17e673ec67947367fed5f5992d578b61a0da0d24743d03ab0e1bf17f26bce7f80d5b0d23f87736e3d8c429fd4420bec708c295d81d125700bbf4ab3a9

      Download Submit

    • C:\Windows\Installer\e5850cb.msi
      Filesize

      2.7MB

      MD5

      b9632555b2c19b9182cab9c098c22d8e

      SHA1

      100d612540c51413141f52c3888114cddb76e9a0

      SHA256

      1164b944f47a9701ddd682f59c60425faed350647e3f9e562e1abc140a89c7f2

      SHA512

      b90b26af09115c4ad37f5cb40135de51835ccffbd666168934062fb587a9111fa535e21c1e231aed76a5e871d63a9f71b686367defed3d584f6d76f75e5acb52

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      612689c954f7d4e96aa1c7f172a5d733

      SHA1

      c14822499b5435f215b0d7c573d6ff80ba2d09ab

      SHA256

      86c938a56176d0864a57ee8417648ccd984f65eb2e2dcee8c351e5976dd8a1fb

      SHA512

      bf50ba232eb0ba9b52fc6cee57b9e823ce828b006aa5671bae1f63bf8b3b6b8dcbebef976befd66a90781f2a2cb0c676b0e89b570efc18e8977dd2f98e43f92b

      Download Submit

    • \??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ed36143a-5dfb-47a3-baac-d026ed2e7fb9}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      f9823c999957e1125a930031f883655b

      SHA1

      886973a3e6202cb5f56e7587cae5d8b67691dd2c

      SHA256

      edf4b6f0c89f00334edd01545c0a1a87a85762efdbc03adb8f7aed1466a5cb1f

      SHA512

      af77902d866fb7322038ebb4855a538ff7991d9ca02c8c44d1c66d88cd9b9ee8f959942f8e8d699d5e940f5f829d765e7bb59b98953f4b798caf8bd094e640ca

      Download Submit

    • memory/2532-33-0x0000027409670000-0x000002740988E000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2532-34-0x0000027409670000-0x000002740988E000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/2532-39-0x0000027409670000-0x000002740988E000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3172-25-0x0000000000B10000-0x0000000000F55000-memory.dmp

      Filesize

      4.3MB

      Download

    • memory/3172-40-0x0000000000B10000-0x0000000000F55000-memory.dmp

      Filesize

      4.3MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.