Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
submitted
05/12/2024, 03:10 UTC
General
-
Target
b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi
-
Size
4.7MB
-
MD5
e63911bf851f892bab6d3933349a987e
-
SHA1
c3f5bd1aca61bd086f1aea3e4b86419a836888ce
-
SHA256
b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8
-
SHA512
f00874b37580152bbb563b29763212de0452e8117f54e4199150cb8cebf3f4d8d1c31ed28d896b7b0cbb63c17e8847019ed76b53f7c0ae07021527705e1af17c
-
SSDEEP
49152:37Vh102T9dhkuqES58NtvUoBV0Sccd2b5+pnQ2fP1r8+/J4OV7AEqj7D4Uv6ZCOX:37VTVkufFN0ScaruSmHR9vaXZTUa3vg
Score
10/10
Malware Config
Extracted
Family
bumblebee
Botnet
1
Attributes
-
dga
45urhm0ldgxb.live
gx6xly9rp6vl.live
zv46ga4ntybq.live
7n1hfolmrnbl.live
vivh2xlt9i6q.live
97t3nh4kk510.live
kbkdtwucfl40.live
qk6a1ahb63uz.live
whko7loy7h5z.live
dad1zg44n0bn.live
7xwz4hw8dts9.live
ovekd5n3gklq.live
amwnef8mjo4v.live
e7ivqfhnss0x.live
rjql4nicl6bg.live
4mo318kk29i4.live
zpo18lm8vg1x.live
jc51pt290y0n.live
rg26t2dc4hf4.live
qw9a58vunuja.live
ugm94zjzl5nl.live
mckag832orba.live
pdw0v9voxlxr.live
m4tx2apfmoxo.live
n2uc737ef71m.live
hkk3112645hz.live
ugko9g5ipa4o.live
8wgq2x4dybx9.live
h81fx7sj8srr.live
a4tgoqi1cm8x.live
-
dga_seed
7834006444057268685
-
domain_length
12
-
num_dga_domains
300
-
port
443
rc4.plain
1
NEW_BLACK
Signatures
-
BumbleBee
BumbleBee is a loader malware written in C++.
-
Bumblebee family
-
Blocklisted process makes network request 15 IoCs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 11 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 14 IoCs
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 43 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b8794c9251e2c6fbb96c458a5e1821ddd029335933dfbb03efa7db63673562e8.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C1B6E52A724F456A5A8D7AA9154AD89 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"C:\Users\Admin\AppData\Roaming\Cisco Systems\Cisco Anyconnect\prerequisites\Cisco Installer\AnyConnect Installer.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2056 -s 6284⤵
-
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 33DFC9A4155955347D1D32F181890FB52⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\MsiExec.exe"C:\Windows\system32\MsiExec.exe" /Y "C:\Users\Admin\AppData\Roaming\BmgqLbJUHL.dll"2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "0000000000000068"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
Network
-
DNS45urhm0ldgxb.liveRemote address:8.8.8.8:53Request45urhm0ldgxb.liveIN AResponse45urhm0ldgxb.liveIN A149.154.153.2 -
DNSgx6xly9rp6vl.liveRemote address:8.8.8.8:53Requestgx6xly9rp6vl.liveIN AResponsegx6xly9rp6vl.liveIN A45.155.37.158
-
DNSzv46ga4ntybq.liveRemote address:8.8.8.8:53Requestzv46ga4ntybq.liveIN AResponsezv46ga4ntybq.liveIN A188.166.15.250
-
DNS7n1hfolmrnbl.liveRemote address:8.8.8.8:53Request7n1hfolmrnbl.liveIN AResponse7n1hfolmrnbl.liveIN A188.166.15.250
-
DNSvivh2xlt9i6q.liveRemote address:8.8.8.8:53Requestvivh2xlt9i6q.liveIN AResponsevivh2xlt9i6q.liveIN A188.166.15.250
-
DNS97t3nh4kk510.liveRemote address:8.8.8.8:53Request97t3nh4kk510.liveIN AResponse97t3nh4kk510.liveIN A188.166.15.250
-
DNSkbkdtwucfl40.liveRemote address:8.8.8.8:53Requestkbkdtwucfl40.liveIN AResponsekbkdtwucfl40.liveIN A188.166.15.250
-
DNSqk6a1ahb63uz.liveRemote address:8.8.8.8:53Requestqk6a1ahb63uz.liveIN AResponseqk6a1ahb63uz.liveIN A188.166.15.250
-
DNSwhko7loy7h5z.liveRemote address:8.8.8.8:53Requestwhko7loy7h5z.liveIN AResponsewhko7loy7h5z.liveIN A188.40.187.128
-
DNSdad1zg44n0bn.liveRemote address:8.8.8.8:53Requestdad1zg44n0bn.liveIN AResponsedad1zg44n0bn.liveIN A188.166.15.250
-
DNS7xwz4hw8dts9.liveRemote address:8.8.8.8:53Request7xwz4hw8dts9.liveIN AResponse7xwz4hw8dts9.liveIN A188.166.15.250
-
DNSovekd5n3gklq.liveRemote address:8.8.8.8:53Requestovekd5n3gklq.liveIN AResponseovekd5n3gklq.liveIN A188.166.15.250
-
DNSamwnef8mjo4v.liveRemote address:8.8.8.8:53Requestamwnef8mjo4v.liveIN AResponseamwnef8mjo4v.liveIN A188.166.15.250
-
DNSe7ivqfhnss0x.liveRemote address:8.8.8.8:53Requeste7ivqfhnss0x.liveIN AResponsee7ivqfhnss0x.liveIN A188.166.15.250
-
DNSrjql4nicl6bg.liveRemote address:8.8.8.8:53Requestrjql4nicl6bg.liveIN AResponserjql4nicl6bg.liveIN A188.166.15.250
-
DNS4mo318kk29i4.liveRemote address:8.8.8.8:53Request4mo318kk29i4.liveIN AResponse4mo318kk29i4.liveIN A188.166.15.250
-
DNSzpo18lm8vg1x.liveRemote address:8.8.8.8:53Requestzpo18lm8vg1x.liveIN AResponsezpo18lm8vg1x.liveIN A188.40.187.128
-
DNSjc51pt290y0n.liveRemote address:8.8.8.8:53Requestjc51pt290y0n.liveIN AResponsejc51pt290y0n.liveIN A188.166.15.250
-
DNSrg26t2dc4hf4.liveRemote address:8.8.8.8:53Requestrg26t2dc4hf4.liveIN AResponserg26t2dc4hf4.liveIN A188.166.15.250
-
DNSqw9a58vunuja.liveRemote address:8.8.8.8:53Requestqw9a58vunuja.liveIN AResponseqw9a58vunuja.liveIN A188.166.15.250
-
DNSugm94zjzl5nl.liveRemote address:8.8.8.8:53Requestugm94zjzl5nl.liveIN AResponseugm94zjzl5nl.liveIN A188.166.15.250
-
DNSmckag832orba.liveRemote address:8.8.8.8:53Requestmckag832orba.liveIN AResponsemckag832orba.liveIN A188.166.15.250
-
DNSpdw0v9voxlxr.liveRemote address:8.8.8.8:53Requestpdw0v9voxlxr.liveIN AResponsepdw0v9voxlxr.liveIN A188.166.15.250
-
DNSm4tx2apfmoxo.liveRemote address:8.8.8.8:53Requestm4tx2apfmoxo.liveIN AResponsem4tx2apfmoxo.liveIN A188.166.15.250
-
DNSn2uc737ef71m.liveRemote address:8.8.8.8:53Requestn2uc737ef71m.liveIN AResponsen2uc737ef71m.liveIN A188.166.15.250
-
DNShkk3112645hz.liveRemote address:8.8.8.8:53Requesthkk3112645hz.liveIN AResponsehkk3112645hz.liveIN A188.166.15.250
-
DNSugko9g5ipa4o.liveRemote address:8.8.8.8:53Requestugko9g5ipa4o.liveIN AResponseugko9g5ipa4o.liveIN A188.166.15.250
-
DNS8wgq2x4dybx9.liveRemote address:8.8.8.8:53Request8wgq2x4dybx9.liveIN AResponse8wgq2x4dybx9.liveIN A188.166.15.250
-
DNSh81fx7sj8srr.liveRemote address:8.8.8.8:53Requesth81fx7sj8srr.liveIN AResponseh81fx7sj8srr.liveIN A188.166.15.250
-
DNSa4tgoqi1cm8x.liveRemote address:8.8.8.8:53Requesta4tgoqi1cm8x.liveIN AResponsea4tgoqi1cm8x.liveIN A188.166.15.250
-
DNSkse2q7uxyrwp.liveRemote address:8.8.8.8:53Requestkse2q7uxyrwp.liveIN AResponsekse2q7uxyrwp.liveIN A188.166.15.250
-
DNSmfwnbxvt9qme.liveRemote address:8.8.8.8:53Requestmfwnbxvt9qme.liveIN AResponsemfwnbxvt9qme.liveIN A188.166.15.250
-
DNSx99ahfftf28l.liveRemote address:8.8.8.8:53Requestx99ahfftf28l.liveIN AResponsex99ahfftf28l.liveIN A188.40.187.128
-
DNS9n6bmko47gxe.liveRemote address:8.8.8.8:53Request9n6bmko47gxe.liveIN AResponse9n6bmko47gxe.liveIN A188.166.15.250
-
DNS6l96lk6edlyf.liveRemote address:8.8.8.8:53Request6l96lk6edlyf.liveIN AResponse6l96lk6edlyf.liveIN A188.166.15.250
-
DNSst5j8zqdrppf.liveRemote address:8.8.8.8:53Requestst5j8zqdrppf.liveIN AResponsest5j8zqdrppf.liveIN A188.166.15.250
-
DNSdxjeucbj4p0j.liveRemote address:8.8.8.8:53Requestdxjeucbj4p0j.liveIN AResponsedxjeucbj4p0j.liveIN A188.166.15.250
-
DNSbnpuxnov7lhr.liveRemote address:8.8.8.8:53Requestbnpuxnov7lhr.liveIN AResponsebnpuxnov7lhr.liveIN A188.166.15.250
-
188.166.15.250:443vivh2xlt9i6q.livehttps -
188.166.15.250:44397t3nh4kk510.livehttps
-
188.166.15.250:443kbkdtwucfl40.livehttps
-
188.166.15.250:443qk6a1ahb63uz.livehttps
-
188.40.187.128:443whko7loy7h5z.livehttps -
188.166.15.250:4437xwz4hw8dts9.livehttps
-
188.166.15.250:443e7ivqfhnss0x.livehttps
-
188.40.187.128:443zpo18lm8vg1x.livehttps
-
188.166.15.250:443qw9a58vunuja.livehttps
-
188.166.15.250:443pdw0v9voxlxr.livehttps
-
188.166.15.250:443hkk3112645hz.livehttps
-
188.166.15.250:443h81fx7sj8srr.livehttps
-
188.166.15.250:443mfwnbxvt9qme.livehttps
-
188.166.15.250:4436l96lk6edlyf.livehttps
-
188.166.15.250:443bnpuxnov7lhr.livehttps
-
8.8.8.8:5345urhm0ldgxb.livedns
DNS Request
45urhm0ldgxb.live
DNS Response
149.154.153.2
-
8.8.8.8:53gx6xly9rp6vl.livedns
DNS Request
gx6xly9rp6vl.live
DNS Response
45.155.37.158
-
8.8.8.8:53zv46ga4ntybq.livedns
DNS Request
zv46ga4ntybq.live
DNS Response
188.166.15.250
-
8.8.8.8:537n1hfolmrnbl.livedns
DNS Request
7n1hfolmrnbl.live
DNS Response
188.166.15.250
-
8.8.8.8:53vivh2xlt9i6q.livedns
DNS Request
vivh2xlt9i6q.live
DNS Response
188.166.15.250
-
8.8.8.8:5397t3nh4kk510.livedns
DNS Request
97t3nh4kk510.live
DNS Response
188.166.15.250
-
8.8.8.8:53kbkdtwucfl40.livedns
DNS Request
kbkdtwucfl40.live
DNS Response
188.166.15.250
-
8.8.8.8:53qk6a1ahb63uz.livedns
DNS Request
qk6a1ahb63uz.live
DNS Response
188.166.15.250
-
8.8.8.8:53whko7loy7h5z.livedns
DNS Request
whko7loy7h5z.live
DNS Response
188.40.187.128
-
8.8.8.8:53dad1zg44n0bn.livedns
DNS Request
dad1zg44n0bn.live
DNS Response
188.166.15.250
-
8.8.8.8:537xwz4hw8dts9.livedns
DNS Request
7xwz4hw8dts9.live
DNS Response
188.166.15.250
-
8.8.8.8:53ovekd5n3gklq.livedns
DNS Request
ovekd5n3gklq.live
DNS Response
188.166.15.250
-
8.8.8.8:53amwnef8mjo4v.livedns
DNS Request
amwnef8mjo4v.live
DNS Response
188.166.15.250
-
8.8.8.8:53e7ivqfhnss0x.livedns
DNS Request
e7ivqfhnss0x.live
DNS Response
188.166.15.250
-
8.8.8.8:53rjql4nicl6bg.livedns
DNS Request
rjql4nicl6bg.live
DNS Response
188.166.15.250
-
8.8.8.8:534mo318kk29i4.livedns
DNS Request
4mo318kk29i4.live
DNS Response
188.166.15.250
-
8.8.8.8:53zpo18lm8vg1x.livedns
DNS Request
zpo18lm8vg1x.live
DNS Response
188.40.187.128
-
8.8.8.8:53jc51pt290y0n.livedns
DNS Request
jc51pt290y0n.live
DNS Response
188.166.15.250
-
8.8.8.8:53rg26t2dc4hf4.livedns
DNS Request
rg26t2dc4hf4.live
DNS Response
188.166.15.250
-
8.8.8.8:53qw9a58vunuja.livedns
DNS Request
qw9a58vunuja.live
DNS Response
188.166.15.250
-
8.8.8.8:53ugm94zjzl5nl.livedns
DNS Request
ugm94zjzl5nl.live
DNS Response
188.166.15.250
-
8.8.8.8:53mckag832orba.livedns
DNS Request
mckag832orba.live
DNS Response
188.166.15.250
-
8.8.8.8:53pdw0v9voxlxr.livedns
DNS Request
pdw0v9voxlxr.live
DNS Response
188.166.15.250
-
8.8.8.8:53m4tx2apfmoxo.livedns
DNS Request
m4tx2apfmoxo.live
DNS Response
188.166.15.250
-
8.8.8.8:53n2uc737ef71m.livedns
DNS Request
n2uc737ef71m.live
DNS Response
188.166.15.250
-
8.8.8.8:53hkk3112645hz.livedns
DNS Request
hkk3112645hz.live
DNS Response
188.166.15.250
-
8.8.8.8:53ugko9g5ipa4o.livedns
DNS Request
ugko9g5ipa4o.live
DNS Response
188.166.15.250
-
8.8.8.8:538wgq2x4dybx9.livedns
DNS Request
8wgq2x4dybx9.live
DNS Response
188.166.15.250
-
8.8.8.8:53h81fx7sj8srr.livedns
DNS Request
h81fx7sj8srr.live
DNS Response
188.166.15.250
-
8.8.8.8:53a4tgoqi1cm8x.livedns
DNS Request
a4tgoqi1cm8x.live
DNS Response
188.166.15.250
-
8.8.8.8:53kse2q7uxyrwp.livedns
DNS Request
kse2q7uxyrwp.live
DNS Response
188.166.15.250
-
8.8.8.8:53mfwnbxvt9qme.livedns
DNS Request
mfwnbxvt9qme.live
DNS Response
188.166.15.250
-
8.8.8.8:53x99ahfftf28l.livedns
DNS Request
x99ahfftf28l.live
DNS Response
188.40.187.128
-
8.8.8.8:539n6bmko47gxe.livedns
DNS Request
9n6bmko47gxe.live
DNS Response
188.166.15.250
-
8.8.8.8:536l96lk6edlyf.livedns
DNS Request
6l96lk6edlyf.live
DNS Response
188.166.15.250
-
8.8.8.8:53st5j8zqdrppf.livedns
DNS Request
st5j8zqdrppf.live
DNS Response
188.166.15.250
-
8.8.8.8:53dxjeucbj4p0j.livedns
DNS Request
dxjeucbj4p0j.live
DNS Response
188.166.15.250
-
8.8.8.8:53bnpuxnov7lhr.livedns
DNS Request
bnpuxnov7lhr.live
DNS Response
188.166.15.250
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
816KB
MD5aa88d8f40a286b6d40de0f3abc836cfa
SHA1c24eab9e4b10b159b589f4c3b64ef3db111ea1c8
SHA2568d633efeda1249356b11bf8f46583242356e4f903056b53bd25a99511d1790a1
SHA5126c2f2f6a2d66015f30158962d653e381136f0f30023380a0ce95bd0944d856113fbde65db52dbb3b5de1c0e2edf2cd53184e721c64b916834be4198c61224519
-
Filesize
877KB
MD56a639b68fe7f4e67b7510af13403772b
SHA1255ba543d6fdd8f037823ff321ec00abe3575c54
SHA2567118cd0d6956c84dc8ede10db84491d7884bfb0baa4a0ab96afc7eea47f46dd0
SHA51243cfa4cdf669df71d7da59669ec9653c4facba4c2e6fe52deada469116b5c8b63a927a9ddc2f240ca9e1a2cc4335c12936007662bf47cd11c7e61392af219cef
-
Filesize
2.1MB
MD529e117e9f0ce89cb29a3b14f39a2624b
SHA11c1060ef434826f6785ea248b647da569e83cd6a
SHA2563844008c0697a64633357ba8d7088ee41e36ac321969bb442b97eb31e530e4a6
SHA512757ac09a94ac4b434daeaf19509183e778208c5b82865e877ee25027080fb367a0e6a177a2ebb0e10dff1307975efb0d45b81568866bec478beca59bd822ab45
-
Filesize
1.0MB
MD55e9965bc72df9f663ca049d40b1fa3af
SHA13fb8de364e3e67f093c1a6c73dc0cac1fd9b2202
SHA256ffa9df9f2ee9b98a9c9d2edf1521d2e8b952f58e1382cc1d84964d0054564091
SHA512418abf3447f885a8fee31cf367a83264eaedfa8a90cd30684f9291d9c37c402595e5f782aa8335bc081adf8f2b18b45171a52d846b48c372a00013da64b61339
-
Filesize
1.0MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB
-
Filesize
2.1MB