Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 00:12

General

  • Target

    3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe

  • Size

    120KB

  • MD5

    6811f0e3f548ed3e1ae20c14d5696337

  • SHA1

    c8ae6a73b6b4ff522ad4bbf88e0b99f55bba0dd1

  • SHA256

    3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab

  • SHA512

    257d9744c1aa39c83245e65e47f3c4dd20827efc0db0e8f64ab4aaa71acfc476024ae67a57e8a1c2439e3f9423cb2aeb8cd9b2022bb9897c9c4d90c4d0e63cec

  • SSDEEP

    1536:rnySyxBTTYFU3jARV5nmIyjB7xZDDBbrjTosSo2cvoXqoDZyUxnLiUc76Wr5:rySxFQKV5E5TDDB/osSjrXqoN676W1

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe
    "C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472ab.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2004
    • C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe
      C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:2128
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1380
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4960
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4960 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4944
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4084

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

      Filesize

      24KB

      MD5

      cb27387ec034a4f0a3c79303d3c9fb08

      SHA1

      5d648bb93f4e41167062d019dc582d353c53db22

      SHA256

      a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc

      SHA512

      6af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603

    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

      Filesize

      24KB

      MD5

      cb27387ec034a4f0a3c79303d3c9fb08

      SHA1

      5d648bb93f4e41167062d019dc582d353c53db22

      SHA256

      a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc

      SHA512

      6af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      471B

      MD5

      fceed7a5f76725fb398c6a91ff552899

      SHA1

      237aec000ae7c7c35a639664b1ad6c0d842a0749

      SHA256

      2888c66a6908f10474313b2fef31aeeff40cffe1bcbd19b84b29334ff6a71383

      SHA512

      adfba4e72523d38395c13122d6498d9b48d93b2967858f0208549e3830c9b47ee3e98249b98fe585aeeeffe491a6985a98c80a3be581abccf4239bad4d1cdef3

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

      Filesize

      404B

      MD5

      82dc1b5c10eab14c24f7aa6205e47caf

      SHA1

      3be78f43b08f5ef77fcba9d4ef7507cf5bb71037

      SHA256

      2a3764ba3c85d5a1807a2085aa22dfc508906122fac2947b8b49b2ba8d5d485d

      SHA512

      2369f9760ca108425a0b409fca5208377d5b40bf3b6f785509014e8af3184b9672ddad470f8e6fda83e6cfc24656b63a3ed212c02e26b9ed07dcb8884f0a18e0

    • C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe

      Filesize

      24KB

      MD5

      cb27387ec034a4f0a3c79303d3c9fb08

      SHA1

      5d648bb93f4e41167062d019dc582d353c53db22

      SHA256

      a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc

      SHA512

      6af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603

    • C:\Users\Admin\AppData\Local\Temp\3396cd091b35fde46a8422352aecdd08cfdff2b0a2d8bea9c999c430e1a472abSrv.exe

      Filesize

      24KB

      MD5

      cb27387ec034a4f0a3c79303d3c9fb08

      SHA1

      5d648bb93f4e41167062d019dc582d353c53db22

      SHA256

      a4a3c7d8f63aca29c7c5644a438005bd79bddcc5fe5ad1bc6a1e5a1214925dcc

      SHA512

      6af1e680c1309a0810f5535827f7b0103d83e73e93c1a9295f992b65416b7b2025a3b1159040902b7a4cc096dd8f2b5d2ae5ed3a33e41160bdc4aeb9103af603

    • memory/1380-140-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB

    • memory/2004-132-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2004-141-0x0000000000400000-0x0000000000421000-memory.dmp

      Filesize

      132KB

    • memory/2128-138-0x0000000000400000-0x0000000000413000-memory.dmp

      Filesize

      76KB