Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

bb.dll

windows7-x64

10

bb.dll

windows10-2004-x64

10

run.bat

windows7-x64

10

run.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/12/2024, 11:27 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb.dll

  • Size

    2.0MB

  • MD5

    5dc6a6789108ac4e667ce24142da1d35

  • SHA1

    660db375094ffef61406b9867528a96861b323e0

  • SHA256

    487dfd12574da32277b18f9ccf3f4143bf676e3560cec909d44db957b1b37670

  • SHA512

    b50af80effc8724690c63ce97798792129994e6fba95d7528ebb43aeaa4996938e4cf781135b0340c6b970f36eb3e53c186abf442494bf5b02478a39fe3125a7

  • SSDEEP

    49152:7WUC0sDBCKCyRf0C3yXGrlz7WHdUcZOiND:7W0sDBCKCyRf0C3y+cZv

Score
10/10
bumblebee276aevasionloader

Malware Config

Extracted

Family

bumblebee

Botnet

276a

C2

146.70.106.52:443

65.72.191.77:443

103.175.16.116:443

185.62.58.175:443

209.141.58.141:443

154.56.0.112:443
rc4.plain
1
BLACK

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Enumerates VirtualBox registry keys 2 TTPs 5 IoCs
    evasion
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 3 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 3 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\bb.dll
    1⤵
    • Enumerates VirtualBox registry keys
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Looks for VirtualBox Guest Additions in registry
    • Checks BIOS information in registry
    • Identifies Wine through registry keys
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • Suspicious behavior: EnumeratesProcesses
    PID:4384

Network

  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    85.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    85.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    17.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    17.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    15.164.165.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    15.164.165.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    86.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    86.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    21.49.80.91.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    21.49.80.91.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    43.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    43.229.111.52.in-addr.arpa
    IN PTR
    Response
  • 100.65.168.129:171
    regsvr32.exe
    260 B
     5
  • 207.177.53.164:325
    regsvr32.exe
    260 B
     5
  • 32.87.78.10:384
    regsvr32.exe
    260 B
     5
  • 117.162.18.77:404
    regsvr32.exe
    260 B
     5
  • 116.176.236.58:151
    regsvr32.exe
    260 B
     5
  • 123.2.128.107:267
    regsvr32.exe
    260 B
     5
  • 169.146.162.63:373
    regsvr32.exe
    260 B
     5
  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    85.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    85.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    17.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    17.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    15.164.165.52.in-addr.arpa
    dns
    72 B
     146 B
     1
    1

    DNS Request

    15.164.165.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    86.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    86.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    21.49.80.91.in-addr.arpa
    dns
    70 B
     145 B
     1
    1

    DNS Request

    21.49.80.91.in-addr.arpa

  • 8.8.8.8:53
    43.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    43.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4384-0-0x00007FFE733CD000-0x00007FFE733CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4384-1-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-4-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-3-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-2-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-7-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4384-8-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4384-6-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4384-5-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4384-9-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-10-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-11-0x00007FFE733CD000-0x00007FFE733CE000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4384-12-0x00007FFE73330000-0x00007FFE73525000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4384-14-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4384-13-0x0000000002B20000-0x0000000002C36000-memory.dmp

    Filesize

    1.1MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.