Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

CryptocommSetup.msi

windows10-2004-x64

10

CryptocommSetup.msi

windows11-21h2-x64

10

Analysis

  • max time kernel
    418s
  • max time network
    427s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/03/2025, 11:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CryptocommSetup.msi

  • Size

    5.3MB

  • MD5

    b6a96e71ad5c0f9b96b2f1d7021e4e09

  • SHA1

    73eabaad78c61de825ed0c8bec9e3b81f5568dbd

  • SHA256

    834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9

  • SHA512

    bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800

  • SSDEEP

    98304:/Hrk3bVI2OzboNeQBWkl43yRev9CcTnuKLFKcwD8OfL4vWmCP82wajDOOInENX:jsq5zboN6F9BLuuKcxOfL4vW225jDOO/

Score
10/10
bumblebee10111discoveryloaderpersistenceprivilege_escalation

Malware Config

Extracted

Family

bumblebee

Botnet

10111

Attributes
  • dga

    vca3utda017.click

    knvop5puf3w.click

    fuoor4i9488.click

    e27y0btovqa.click

    4td54jwr0zo.click

    8u1tf686x8r.click

    7rbvv9nr7ux.click

    0qlcz1igan7.click

    1ywg4j0oomt.click

    uk2cx2bz9oh.click

    mmh6zjh9rws.click

    tyv7socu189.click

    nu1ry3ywid2.click

    qbjc9488vee.click

    v8tarf4uflp.click

    nubhcl6uvd6.click

    pj2h7xw21zx.click

    n22xrd1xrto.click

    1age5rpmnbq.click

    s7ebb7t79vn.click

    t8vxfebri9r.click

    77ch3dlvcuc.click

    4k2znm7tg08.click

    ie4jzevdaka.click

    pweekbw7x9i.click

    dg4j9l1r2ay.click

    6linr1ga29p.click

    ae4fgatomcn.click

    i0rwy7k6rh8.click

    zrvvmchlzab.click

  • dga_seed

    7827833623176771557

  • domain_length

    11

  • num_dga_domains

    300

  • port

    443

  • tld

    .click

rc4.plain

Signatures

  • BumbleBee

    BumbleBee is a loader malware written in C++.

    loaderbumblebee
  • Bumblebee family
    bumblebee
  • Blocklisted process makes network request 4 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 41 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\CryptocommSetup.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4324
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:1576
      • C:\Windows\system32\rundll32.exe
        "rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.dll",DllRegisterServer
        2⤵
        • Loads dropped DLL
        PID:448
      • C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe
        "C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe"
        2⤵
        • Enumerates connected drives
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4864
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\ZipItNow.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1741453221 " AI_EUIMSI=""
          3⤵
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          PID:3492
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 855B4BDFF4929A6A1D4AF3995643223C C
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1472
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 1C9021A375E2858E5FA29C0173669157
        2⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2032
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIFCD0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240647546 3 RequestSender!RequestSender.CustomActions.Start
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1888
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI1EA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240648687 61 RequestSender!RequestSender.CustomActions.CreateScheduledTask
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2312
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI2D72.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240659828 1952 RequestSender!RequestSender.CustomActions.Finish
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4972
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2516

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57f389.rbs
      Filesize

      8KB

      MD5

      1f05d62e6f9fef17026b77e4b61ce9a5

      SHA1

      7e00c00454b4648c31799a720f5f5b8be9057069

      SHA256

      48b9793bebdf87d82d3aa93d916724bdc1b9f95875067f5de49f67f9017dc49f

      SHA512

      61e1ca369f43f799de44a410628e411d6d0d6985333dc9559b7f3d861b81ec1a530390007f809b95806761257c0858eecdd4d64fa1e6fa71103f2e0b24021044

      Download Submit

    • C:\Config.Msi\e57f38e.rbs
      Filesize

      817KB

      MD5

      b926d7cacaa57930704e1903b58b4b0a

      SHA1

      8eddcba26d95016722c6d9e8b468ac73e9a539b1

      SHA256

      02d2dd7c3b94ec49d310ad11a938316e059ee2d213b4e4bd611e474836040c33

      SHA512

      4a668e8461682c44843210f092c4b91b03fb4acfcb1e2c54427b21362018efa2772981ed0e30c53a0c54a7b80da0ba6548960e361912132abd9c90e8f45a2da1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
      Filesize

      847B

      MD5

      f8ec7f563d06ccddddf6c96b8957e5c8

      SHA1

      73bdc49dcead32f8c29168645a0f080084132252

      SHA256

      38ef57aec780edd2c8dab614a85ce87351188fce5896ffebc9f69328df2056ed

      SHA512

      8830821ac9edb4cdf4d8a3d7bc30433987ae4c158cf81b705654f54aaeba366c5fa3509981aceae21e193dd4483f03b9d449bc0a32545927d3ca94b0f9367684

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.dll
      Filesize

      2.1MB

      MD5

      a4721159fba7ebdffe823468dc858288

      SHA1

      ff1a9d6dc6b008ff69d6ed16b762ba399a92c60c

      SHA256

      8c03d230f87215d048b58265d09fa256fd4c0088dc279da033854ddbf389c3e5

      SHA512

      e2258457344a366518d5b697e97eb20c5923ef08eb8533ef9ef093bd401ee2e58105431b3a8b2ebdab61db4145e4b346ed534acf428a6f97289f801277de7a77

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ApplicationInstallationFolder_11\ZipItNow.exe
      Filesize

      4.7MB

      MD5

      534cd01067c81867723338b17697ee32

      SHA1

      a4e5a835909c7289a3372d58d80dc539309d6736

      SHA256

      956713b1bca39dc306f5402815f1258cfe4279c85c42758c0e107e5f8ee5576a

      SHA512

      df259beb1b0b30b24e02754f9da688092274c7ec7e775f8fd4b9bdfbb75a1be8f9107562568d6223fa9ee61e51f4d93f8bf9c6a83b47f1611f16a521bc5f8172

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIFA5F.tmp
      Filesize

      386KB

      MD5

      72b1c6699ddc2baab105d32761285df2

      SHA1

      fc85e9fb190f205e6752624a5231515c4ee4e155

      SHA256

      bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

      SHA512

      cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\ZipItNow.msi
      Filesize

      2.6MB

      MD5

      54f36f1b9118b35e2dbb2e0eb0c377ab

      SHA1

      74c4144ec0d694d2cd047d235444ae309fc2a3aa

      SHA256

      39da510263e23e8b172f460f8946f0934eeff7c1bb8aeb2f92e4439fd6eea1b8

      SHA512

      d51360bce9efa04208123df0e303c5364ad19b75fd2605ed21fe06f6e63f59c95d0595d4776292e6b0160b295873c1ce3dddf70c328fb2f85d4a83ba22efb22a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\upd.exe
      Filesize

      1.6MB

      MD5

      d68a0453311d9645436889d698dfd3bc

      SHA1

      40a614fe230373bb4c7e9d1791cf3c1dcc56a966

      SHA256

      5ac47d4b9de6a7a45202417bfbd65501ed227a02aeae19c8a5b4e902299ef1df

      SHA512

      beda42b97063edd4be7d14342e965ce214c1228ac65fd81213614d1279e33ad230e5f77beaef000b05badb3cf32bcd72df73269e29422b9697c7900c5df5dc91

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\7645A40\zip_it_now.exe
      Filesize

      517KB

      MD5

      4a2ee83f3ad69f81df42c4e87af013f8

      SHA1

      c3f65d6aabfa419d510ea5aefe0ded17e2bdee73

      SHA256

      941580cbad9e1c9e3e62c49a80ce2c7931ee4a931a00e36309b3b4d2f1c69907

      SHA512

      6101578090fe05568308ada1f8b65950448bde47e7e37f8d0113d1c22a2262b5cac9dfd5800cc1121dae2be37a7d1ee64c398e417d5511af8952aabbd0100308

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Zip It Now\Zip It Now 1.4.0.0\install\decoder.dll
      Filesize

      206KB

      MD5

      9d45f2790dda55df2d99ef66dcb2019d

      SHA1

      f2a369c1b82476e2e0641f95394dd4dee8223f01

      SHA256

      9b7ff49f7e1d0a39826ec458c8004b20a65a4bd0592b083f38b01e2dbc2b510f

      SHA512

      9bef561ec6908dcd7e75f5f63cff8b1ec73e9be2b4e4aa5602182cde18d691cc28259b980c87246c5d27b4284bc783fba44d92a202f77b15f3e65c89dd3aa069

      Download Submit

    • C:\Windows\Installer\MSI14C.tmp
      Filesize

      401KB

      MD5

      ec4cd2159189ffa5d293a24e92964b6d

      SHA1

      d16bbb7b4504afa4d70442e051e548372586b5d3

      SHA256

      8a77ed5526ecf88b81844993b5c55bdf6e056aade9c8cb3e1fd89a3b4d41a780

      SHA512

      099663cd0584dce7ec17322fcecef330341a711a1d6854f57eb852650ab8272b44708f18ebf6ca0e42b2ca0ed10ad99ea7729562de553353afb615604ea19101

      Download Submit

    • C:\Windows\Installer\MSIFCD0.tmp
      Filesize

      416KB

      MD5

      9d0601206bfe26161f88caf174a0771a

      SHA1

      d0edc2cedaac22c56d740ee2631cd3b7c868c6bf

      SHA256

      45608820ac1375e4490f0bb1b289745ef7183370f2411138f50a88d363f9cad0

      SHA512

      ee1c60fbc45dc73b679d895b896ab0c056b640b279a52c1fac5e95181a7128f15ce88d7cc6f6105ef33c20b01eb9016452866387328b0cc7ed07bf5c6a3de9a1

      Download Submit

    • C:\Windows\Installer\MSIFF26.tmp
      Filesize

      544KB

      MD5

      40117f705bff008c3d96a73162dad044

      SHA1

      2735813836f36b5de83a745c47628053a0f61f66

      SHA256

      32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

      SHA512

      eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

      Download Submit

    • C:\Windows\Installer\SFXCA6CBFBA75344BF33B55B75669F6E988AE\Microsoft.Win32.TaskScheduler.dll
      Filesize

      325KB

      MD5

      0616ea42b68a8f5f2f01bcd985bdcbc7

      SHA1

      88d6aae1f17b00f4391e0e7b17e98c494be73ba1

      SHA256

      ea27c65491119eee5c8e87ce3d470783580db8fc5bd141c496768d7d0cce779a

      SHA512

      ce4657908615c4837084c75d806c083b8f7e63965a2e7866b8c96de7c0278a0857235b74cd9443769968165db250eba042a5b05927febff5bb70bebb7dcbd814

      Download Submit

    • C:\Windows\Installer\SFXCAC6BAF22F954A2FB9828B4B622816DB7B\CustomAction.config
      Filesize

      959B

      MD5

      ee9a8381338b060d86c58e2415f481f3

      SHA1

      200f3ed7c773f50c80644f3976e09e876f45993f

      SHA256

      7e1096d6f39ebe04d6e38bc714983af05ed92cc2bb4d3365ed4c85e733cb145c

      SHA512

      26b9108b9522574e08560bc45a6470f85ca149317bd763f3a357040e0f0e743fd7bfc05e0ce2d9fb52bf89e22c61d221ddf8a7163f5143848717ca3d56847ef1

      Download Submit

    • C:\Windows\Installer\SFXCAC6BAF22F954A2FB9828B4B622816DB7B\RequestSender.dll
      Filesize

      13KB

      MD5

      208affd76ff5813c6ffd74fe02780953

      SHA1

      2edf070cbbd4031d470db0e68af7f36c7c68c3a3

      SHA256

      a3f2df576e23e27904150abe24b4a03c7dfa2fb52bb847ab54e8b4cd0032103d

      SHA512

      9bab13a330e00a62e20957e4508e7ef2cef00187783363fdcdb23ce257e48d3ceb4a9b830f6e1b6021ecabdcb3bb3d2852b8d898b32bc506d30e7848c7fff51f

      Download Submit

    • C:\Windows\Installer\SFXCAC6BAF22F954A2FB9828B4B622816DB7B\WixToolset.Dtf.WindowsInstaller.dll
      Filesize

      193KB

      MD5

      ef8d5785ac8669f5fd54e22f52770e6b

      SHA1

      4c94ae7ef233be33a56c0a5d9b8e2211d5d5792c

      SHA256

      a614884ea627da1925131ebf41e8ae202caeac0fe543b86384f5eb2bfaf1aa75

      SHA512

      ab3b140bd6531f22e994606820e6511442c23d9015b1e1a38aaed43aa42ba29a996511151d0b3a383c05c2b11f670e52cdd7f507ad1a1ad8cebea57fb22ade5a

      Download Submit

    • C:\Windows\Installer\e57f388.msi
      Filesize

      5.3MB

      MD5

      b6a96e71ad5c0f9b96b2f1d7021e4e09

      SHA1

      73eabaad78c61de825ed0c8bec9e3b81f5568dbd

      SHA256

      834875b1149dde2148145b28f379c37235d4eb9671ddaeb7722b7c0e75c2aca9

      SHA512

      bff28c1b4b7e3ca6dbfdf44203bb06c0872e5b2e29eceea39f1669afc783527be40460d73d50ea1a9cee9583c8fd538f5b14f3481aa42cca1e0bef9da9c8a800

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      6a265612f3f380e5b337e63c350cafdf

      SHA1

      cafc81a37d36d38374241f553eb1f096a53c8aaa

      SHA256

      96211d84662bf05588dbd1a66b7729467b07a146d2d917bca85281fa7bf3a611

      SHA512

      d677b6dfbf100c0b66bb7fc1ef2117e06f592433cd9880e3aeede414adb4aa054728ca059dde5099d6b9ff2e2439db5100d5a82dbf2d8b2172fdd7801cb61129

      Download Submit

    • \??\Volume{25f6d1ca-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f10873ca-1ad3-4e23-9167-e33818fe2ed6}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      cc98ea343a4258ad86e79a8528281e65

      SHA1

      8dcbac3178ba12f460dad74af98549deb14757e8

      SHA256

      dcdc84e52af53404ab251c00e7c2243aeac6786a185d2e0af02b5a40610bd85a

      SHA512

      92eff0ab955a46f6b5bae4941a55684e990fd0a56c48a75de9f0a46e1e424332fe7ffee47d98d6a6e9e8b775ef1b1de67a901ad15eec477ad8371ff1de635e3f

      Download Submit

    • memory/448-18-0x00007FFFCE160000-0x00007FFFCE383000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/448-283-0x00007FFFCE160000-0x00007FFFCE383000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/1888-80-0x0000000004AF0000-0x0000000004B24000-memory.dmp

      Filesize

      208KB

      Download

    • memory/1888-94-0x0000000004BA0000-0x0000000004C06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1888-92-0x0000000004AD0000-0x0000000004ADA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2312-135-0x00000000047B0000-0x0000000004808000-memory.dmp

      Filesize

      352KB

      Download