Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

834875b114...a9.msi

windows7-x64

10

834875b114...a9.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 03:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9.msi

  • Size

    5.3MB

  • MD5

    b6a96e71ad5c0f9b96b2f1d7021e4e09

  • SHA1

    73eabaad78c61de825ed0c8bec9e3b81f5568dbd

  • SHA256

    834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9

  • SHA512

    bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800

  • SSDEEP

    98304:/Hrk3bVI2OzboNeQBWkl43yRev9CcTnuKLFKcwD8OfL4vWmCP82wajDOOInENX:jsq5zboN6F9BLuuKcxOfL4vW225jDOO/

Score
10/10
bumblebee10111discoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

10111

Attributes
  • dga

    vca3utda017.click

    knvop5puf3w.click

    fuoor4i9488.click

    e27y0btovqa.click

    4td54jwr0zo.click

    8u1tf686x8r.click

    7rbvv9nr7ux.click

    0qlcz1igan7.click

    1ywg4j0oomt.click

    uk2cx2bz9oh.click

    mmh6zjh9rws.click

    tyv7socu189.click

    nu1ry3ywid2.click

    qbjc9488vee.click

    v8tarf4uflp.click

    nubhcl6uvd6.click

    pj2h7xw21zx.click

    n22xrd1xrto.click

    1age5rpmnbq.click

    s7ebb7t79vn.click

    t8vxfebri9r.click

    77ch3dlvcuc.click

    4k2znm7tg08.click

    ie4jzevdaka.click

    pweekbw7x9i.click

    dg4j9l1r2ay.click

    6linr1ga29p.click

    ae4fgatomcn.click

    i0rwy7k6rh8.click

    zrvvmchlzab.click

  • dga_seed

    7827833623176771557

  • domain_length

    11

  • num_dga_domains

    300

  • port

    443

  • tld

    .click

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Blocklisted process makes network request 5 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 41 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4820
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2448
      • C:\Windows\system32\rundll32.exe
        "rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.dll",DllRegisterServer
        2⤵
        • Loads dropped DLL
        PID:1608
      • C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe
        "C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe"
        2⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:3192
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\ZipItNow.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741424508 " AI_EUIMSI=""
          3⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          PID:4912
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1668A8DAF5A895B6862807AACD6CA5E2 C
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:368
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A3C8A36530B96D859BB54ABCD26DE016
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4340
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIC526.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240633312 3 RequestSender!RequestSender.CustomActions.Start
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4916
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIC966.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240634218 61 RequestSender!RequestSender.CustomActions.CreateScheduledTask
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1652
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIDB99.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638906 1937 RequestSender!RequestSender.CustomActions.Finish
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2956
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bb90.rbs
      Filesize

      8KB

      MD5

      f6765ffe164002249c51ff90ea8b745b

      SHA1

      00b7162aae7fc5a1c4edbd38fa439239f7bdd586

      SHA256

      5290a56049ee70b0b52ee7934e9ac9a0b7904ac9c87ef4796e7670f88426be90

      SHA512

      3ca42daef8ed122151b3a25bea0814044f0261c32bb2c13d9d236b3e0ce356a0505e0015c964c161fded8480a89c97c225c7212260991b3e46c1cd06226c11bf

      Download Submit

    • C:\Config.Msi\e57bb95.rbs
      Filesize

      817KB

      MD5

      0a13c2f3d905e3a62a611b7baea13a04

      SHA1

      be7791940320a15c156d04fe0fa241226e0b4da9

      SHA256

      e0432c4f2e169d5e58bdbd3626de3b865b1e2063618ee966914c3ab14b402b32

      SHA512

      0a6d5038faca0fb93876a1418ddfb37d7224ad79818e6c728e02daa82cbee7cfe240a1bd4b3aa39c661a9518fb99d872902a2795a022e8abee742cfa6e6c9186

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
      Filesize

      847B

      MD5

      f8ec7f563d06ccddddf6c96b8957e5c8

      SHA1

      73bdc49dcead32f8c29168645a0f080084132252

      SHA256

      38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

      SHA512

      8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.dll
      Filesize

      2.1MB

      MD5

      a4721159fba7ebdffe823468dc858288

      SHA1

      ff1a9d6dc6b008ff69d6ed16b762ba399a92c60c

      SHA256

      8c03d230f87215d048b58265d09fa256fd4c0088dc279da033854ddbf389c3e5

      SHA512

      e2258457344a366518d5b697e97eb20c5923ef08eb8533ef9ef093bd401ee2e58105431b3a8b2ebdab61db4145e4b346ed534acf428a6f97289f801277de7a77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe
      Filesize

      4.7MB

      MD5

      534cd01067c81867723338b17697ee32

      SHA1

      a4e5a835909c7289a3372d58d80dc539309d6736

      SHA256

      956713b1bca39dc306f5402815f1258cfe4279c85c42758c0e107e5f8ee5576a

      SHA512

      df259beb1b0b30b24e02754f9da688092274c7ec7e775f8fd4b9bdfbb75a1be8f9107562568d6223fa9ee61e51f4d93f8bf9c6a83b47f1611f16a521bc5f8172

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIC19B.tmp
      Filesize

      386KB

      MD5

      72b1c6699ddc2baab105d32761285df2

      SHA1

      fc85e9fb190f205e6752624a5231515c4ee4e155

      SHA256

      bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

      SHA512

      cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\ZipItNow.msi
      Filesize

      2.6MB

      MD5

      54f36f1b9118b35e2dbb2e0eb0c377ab

      SHA1

      74c4144ec0d694d2cd047d235444ae309fc2a3aa

      SHA256

      39da510263e23e8b172f460f8946f0934eeff7c1bb8aeb2f92e4439fd6eea1b8

      SHA512

      d51360bce9efa04208123df0e303c5364ad19b75fd2605ed21fe06f6e63f59c95d0595d4776292e6b0160b295873c1ce3dddf70c328fb2f85d4a83ba22efb22a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\upd.exe
      Filesize

      1.6MB

      MD5

      d68a0453311d9645436889d698dfd3bc

      SHA1

      40a614fe230373bb4c7e9d1791cf3c1dcc56a966

      SHA256

      5ac47d4b9de6a7a45202417bfbd65501ed227a02aeae19c8a5b4e902299ef1df

      SHA512

      beda42b97063edd4be7d14342e965ce214c1228ac65fd81213614d1279e33ad230e5f77beaef000b05badb3cf32bcd72df73269e29422b9697c7900c5df5dc91

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\zip_it_now.exe
      Filesize

      517KB

      MD5

      4a2ee83f3ad69f81df42c4e87af013f8

      SHA1

      c3f65d6aabfa419d510ea5aefe0ded17e2bdee73

      SHA256

      941580cbad9e1c9e3e62c49a80ce2c7931ee4a931a00e36309b3b4d2f1c69907

      SHA512

      6101578090fe05568308ada1f8b65950448bde47e7e37f8d0113d1c22a2262b5cac9dfd5800cc1121dae2be37a7d1ee64c398e417d5511af8952aabbd0100308

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\decoder.dll
      Filesize

      206KB

      MD5

      9d45f2790dda55df2d99ef66dcb2019d

      SHA1

      f2a369c1b82476e2e0641f95394dd4dee8223f01

      SHA256

      9b7ff49f7e1d0a39826ec458c8004b20a65a4bd0592b083f38b01e2dbc2b510f

      SHA512

      9bef561ec6908dcd7e75f5f63cff8b1ec73e9be2b4e4aa5602182cde18d691cc28259b980c87246c5d27b4284bc783fba44d92a202f77b15f3e65c89dd3aa069

      Download Submit

    • C:\Windows\Installer\MSIC526.tmp
      Filesize

      416KB

      MD5

      9d0601206bfe26161f88caf174a0771a

      SHA1

      d0edc2cedaac22c56d740ee2631cd3b7c868c6bf

      SHA256

      45608820ac1375e4490f0bb1b289745ef7183370f2411138f50a88d363f9cad0

      SHA512

      ee1c60fbc45dc73b679d895b896ab0c056b640b279a52c1fac5e95181a7128f15ce88d7cc6f6105ef33c20b01eb9016452866387328b0cc7ed07bf5c6a3de9a1

      Download Submit

    • C:\Windows\Installer\MSIC653.tmp
      Filesize

      544KB

      MD5

      40117f705bff008c3d96a73162dad044

      SHA1

      2735813836f36b5de83a745c47628053a0f61f66

      SHA256

      32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

      SHA512

      eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

      Download Submit

    • C:\Windows\Installer\MSIC80C.tmp
      Filesize

      401KB

      MD5

      ec4cd2159189ffa5d293a24e92964b6d

      SHA1

      d16bbb7b4504afa4d70442e051e548372586b5d3

      SHA256

      8a77ed5526ecf88b81844993b5c55bdf6e056aade9c8cb3e1fd89a3b4d41a780

      SHA512

      099663cd0584dce7ec17322fcecef330341a711a1d6854f57eb852650ab8272b44708f18ebf6ca0e42b2ca0ed10ad99ea7729562de553353afb615604ea19101

      Download Submit

    • C:\Windows\Installer\SFXCAA1C017F394423429D126033251881F2C\Microsoft.Win32.TaskScheduler.dll
      Filesize

      325KB

      MD5

      0616ea42b68a8f5f2f01bcd985bdcbc7

      SHA1

      88d6aae1f17b00f4391e0e7b17e98c494be73ba1

      SHA256

      ea27c65491119eee5c8e87ce3d470783580db8fc5bd141c496768d7d0cce779a

      SHA512

      ce4657908615c4837084c75d806c083b8f7e63965a2e7866b8c96de7c0278a0857235b74cd9443769968165db250eba042a5b05927febff5bb70bebb7dcbd814

      Download Submit

    • C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\CustomAction.config
      Filesize

      959B

      MD5

      ee9a8381338b060d86c58e2415f481f3

      SHA1

      200f3ed7c773f50c80644f3976e09e876f45993f

      SHA256

      7e1096d6f39ebe04d6e38bc714983af05ed92cc2bb4d3365ed4c85e733cb145c

      SHA512

      26b9108b9522574e08560bc45a6470f85ca149317bd763f3a357040e0f0e743fd7bfc05e0ce2d9fb52bf89e22c61d221ddf8a7163f5143848717ca3d56847ef1

      Download Submit

    • C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\RequestSender.dll
      Filesize

      13KB

      MD5

      208affd76ff5813c6ffd74fe02780953

      SHA1

      2edf070cbbd4031d470db0e68af7f36c7c68c3a3

      SHA256

      a3f2df576e23e27904150abe24b4a03c7dfa2fb52bb847ab54e8b4cd0032103d

      SHA512

      9bab13a330e00a62e20957e4508e7ef2cef00187783363fdcdb23ce257e48d3ceb4a9b830f6e1b6021ecabdcb3bb3d2852b8d898b32bc506d30e7848c7fff51f

      Download Submit

    • C:\Windows\Installer\SFXCAA4A5F9758040DD89A131FF3F7322FE69\WixToolset.Dtf.WindowsInstaller.dll
      Filesize

      193KB

      MD5

      ef8d5785ac8669f5fd54e22f52770e6b

      SHA1

      4c94ae7ef233be33a56c0a5d9b8e2211d5d5792c

      SHA256

      a614884ea627da1925131ebf41e8ae202caeac0fe543b86384f5eb2bfaf1aa75

      SHA512

      ab3b140bd6531f22e994606820e6511442c23d9015b1e1a38aaed43aa42ba29a996511151d0b3a383c05c2b11f670e52cdd7f507ad1a1ad8cebea57fb22ade5a

      Download Submit

    • C:\Windows\Installer\e57bb8f.msi
      Filesize

      5.3MB

      MD5

      b6a96e71ad5c0f9b96b2f1d7021e4e09

      SHA1

      73eabaad78c61de825ed0c8bec9e3b81f5568dbd

      SHA256

      834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9

      SHA512

      bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      7a317ea3d9e397709a49051f8a209f66

      SHA1

      9e7d356b1bb6dc72ad96007b552e70484b1d8123

      SHA256

      d09eb6526b7a59482ebee7772b9b335d951a02ec9f8172eb70ed5cf8655a125e

      SHA512

      2c376b15e94b5c1e4e0f5a001ead0eb1e5c510c50d1f20581dabe3712d8c43ced8779570dad76d00c8ce9548d8089b2951576d22c0a88b6363bf212f1e42d768

      Download Submit

    • \??\Volume{24b92e62-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{aa25829a-3a54-477b-9f45-cd3a69c67dab}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      d41f5ff6e185ba9f8e9b637aceddfd99

      SHA1

      7f1f2fa23b35ffdf680c05b40a3b5ae1d14b45e8

      SHA256

      6107c53796e5259bbceaa9d310f712226f865201ac7ac314b828c8e193c6cc91

      SHA512

      6392191af784d327534de23e69809ba9074f13b11c7d3aa260a361585f7ddcf776d09344faf95f15cdfb3d6be09bb6427ca9b43cfca9ab30a00979c0b820fd78

      Download Submit

    • memory/1608-18-0x00007FFDA9BF0000-0x00007FFDA9E13000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1608-283-0x00007FFDA9BF0000-0x00007FFDA9E13000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1652-135-0x0000000004F00000-0x0000000004F58000-memory.dmp

      Filesize

      352KB

      Download

    • memory/4916-104-0x0000000005300000-0x0000000005366000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4916-102-0x0000000002EB0000-0x0000000002EBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4916-92-0x0000000005250000-0x0000000005284000-memory.dmp

      Filesize

      208KB

      Download