Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    135s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 23:12

General

  • Target

    6976a152e57713286649d7b0f0f4368630f8ba92076a35be68436d4a0505650d.dll

  • Size

    1.0MB

  • MD5

    91e44b8441750665ec9555b85eb829a6

  • SHA1

    8a1b06c84327675fac5f062be08f4b725a3466fb

  • SHA256

    6976a152e57713286649d7b0f0f4368630f8ba92076a35be68436d4a0505650d

  • SHA512

    a4cf552b7fb3a0a59b8485dd1b512a9a52590a890a8d6f74bd4e8510c4c1ece19e561434b3a8909a80c0721f511de015d41f9c980f801340f1358e86bcb88a1d

  • SSDEEP

    12288:895fV5eE+ecfmq8yAKwGslW++O4G3C+fb+WhlPwtWewUAf:mfD+eqD8yAKwGslW+QGyYbEtWi

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6976a152e57713286649d7b0f0f4368630f8ba92076a35be68436d4a0505650d.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1436
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\6976a152e57713286649d7b0f0f4368630f8ba92076a35be68436d4a0505650d.dll
      2⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4388
      • C:\Windows\SysWOW64\regsvr32Srv.exe
        C:\Windows\SysWOW64\regsvr32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1216
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:5088
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4476
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4476 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1292

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

    Filesize

    56KB

    MD5

    83f5a64a268f21c7c6d6dd54ce8a88c2

    SHA1

    61376a625d7d389c5c1646aa534f1ef3135da2f4

    SHA256

    c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c

    SHA512

    4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe

    Filesize

    56KB

    MD5

    83f5a64a268f21c7c6d6dd54ce8a88c2

    SHA1

    61376a625d7d389c5c1646aa534f1ef3135da2f4

    SHA256

    c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c

    SHA512

    4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

  • C:\Windows\SysWOW64\regsvr32Srv.exe

    Filesize

    56KB

    MD5

    83f5a64a268f21c7c6d6dd54ce8a88c2

    SHA1

    61376a625d7d389c5c1646aa534f1ef3135da2f4

    SHA256

    c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c

    SHA512

    4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

  • C:\Windows\SysWOW64\regsvr32Srv.exe

    Filesize

    56KB

    MD5

    83f5a64a268f21c7c6d6dd54ce8a88c2

    SHA1

    61376a625d7d389c5c1646aa534f1ef3135da2f4

    SHA256

    c0b96c44a00557b60df0fa0ac9b129ac07d5b93c669f4a3c98276d113ff6962c

    SHA512

    4cddbd07e10c93d23efd1560084f0482520f90f252d6e90380222f0d13ac3bf3587fbddb3033a6b06d550838731db072001197cb3283e4686f5b8bd5b6d894f1

  • memory/1216-138-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/4388-140-0x0000000014400000-0x000000001450A000-memory.dmp

    Filesize

    1.0MB

  • memory/5088-142-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

  • memory/5088-141-0x0000000000500000-0x0000000000511000-memory.dmp

    Filesize

    68KB