Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Resubmissions

14/02/2025, 07:59

250214-jvkq7ayley 10

10/02/2025, 18:09

250210-wrfpaa1jdl 10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • submitted
    14/02/2025, 07:59

General

  • Target

    CZPgtmlLgThm.dll

  • Size

    3.2MB

  • MD5

    e102f51b67a248436f9729e410100a13

  • SHA1

    d34e81135fd45258982d56ce66fcb0661daff9de

  • SHA256

    b2bd3a7284b4dddb7412a5a929836200d9ec742af0d1af79de3ad164aceadf1a

  • SHA512

    4ce752d04bbdca4b9f6af961ee473d37b84d9a845dd01afb959a6bd03842858939b0dbb55db859a500362d61a0ac177846911cbcf5de534fadbecedaabc5910a

  • SSDEEP

    49152:6vMLhOv7qLYgOQkv2ldCcCgPqIo9xlf8ZirVq42tmAMK7+slR0+RNW8d:6v+0Yj/7VniJDfQiQVtD68tRNhd

Malware Config

Extracted

Family

bumblebee

Botnet

9090

Attributes
  • dga

    nvg55tpgvn.click

    ulbun31qmv.click

    7oc6be5fmy.click

    bm76b9296k.click

    h7xupkk0d3.click

    fi7anseaj7.click

    0u4bcayb8u.click

    1cckgd13z5.click

    562z75s3bp.click

    1smmlbbiqr.click

    cc5fi2q6ca.click

    xisdha07tt.click

    rvi6iv6l5v.click

    kddpj0gryr.click

    jmpxjjqhe8.click

    ui1b0rvu0k.click

    kqiqovthoj.click

    zbldvupsdc.click

    qdhqoj9s20.click

    g841i9ksgn.click

    uu4cx79e90.click

    m9a2qfmqay.click

    kc8svtokry.click

    st9rdv9xai.click

    i4965hr9jc.click

    wkxfgjwonu.click

    53y5nwsc6j.click

    7ou7og586r.click

    r5wrzrk1bi.click

    am7gd0loc1.click

  • dga_seed

    -5372979216912523469

  • domain_length

    10

  • num_dga_domains

    300

  • port

    443

  • tld

    .click

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

  • Bumblebee family
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CZPgtmlLgThm.dll
    1⤵
      PID:440
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NEVEMDY3MTctQURFRS00OTlDLTk0OUMtRUMzOThGMUY4NTM1fSIgdXNlcmlkPSJ7MTA5MTY2RTEtOEY4QS00MTMxLUE2MUMtNkQyM0YwMDc3M0U1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MUU1REU3REMtRTNBQy00NzRFLUI4QTItNTlCQkREMTQyNjE3fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODM0MTAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NTUzNjg2NzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NTM1OTE2NjQxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:1968

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/440-4-0x00007FFDEB04D000-0x00007FFDEB04E000-memory.dmp

      Filesize

      4KB

    • memory/440-6-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-3-0x00000000023C0000-0x00000000025EB000-memory.dmp

      Filesize

      2.2MB

    • memory/440-8-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-7-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-1-0x00000000025F0000-0x0000000002809000-memory.dmp

      Filesize

      2.1MB

    • memory/440-9-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-2-0x00000000025F0000-0x0000000002809000-memory.dmp

      Filesize

      2.1MB

    • memory/440-10-0x00000000025F0000-0x0000000002809000-memory.dmp

      Filesize

      2.1MB

    • memory/440-0-0x00000000025F0000-0x0000000002809000-memory.dmp

      Filesize

      2.1MB

    • memory/440-5-0x00000000025F0000-0x0000000002809000-memory.dmp

      Filesize

      2.1MB

    • memory/440-11-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-12-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-13-0x00000000023C0000-0x00000000025EB000-memory.dmp

      Filesize

      2.2MB

    • memory/440-14-0x00007FFDEAFB0000-0x00007FFDEB1A5000-memory.dmp

      Filesize

      2.0MB

    • memory/440-15-0x00007FFDEB04D000-0x00007FFDEB04E000-memory.dmp

      Filesize

      4KB