Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    133s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 23:13

General

  • Target

    5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll

  • Size

    275KB

  • MD5

    a130da82f39d8bad198cbbf5e213e470

  • SHA1

    2489c6fd0ef7989180d68865b41dbeafd8bc5c91

  • SHA256

    5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2

  • SHA512

    bb04db4a7a89019316290dabff9845b9326217a361d3cd6630821887d8a26eb1f1d41000c5566fff8882c41144cb52152dbbc81df1fbc7741af09fd10fcf3f65

  • SSDEEP

    3072:UnMoFkOKCg3CXmSSZlzgeBTg4vRPo5NNFs+XNtUU/chmcFTulOVq5pNOM9hioVE5:UMJOWK4l0wqOVq1Iy1uULkpeI

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c3a3e92dcfea0262d820e37fed142650fb02aac4ed4bc0e8e218e24708a8cd2.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4932
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4804
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:440
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 440 -s 208
                6⤵
                • Program crash
                PID:2636
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1100
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2436
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:948
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:320
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 440 -ip 440
      1⤵
        PID:3056

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        124KB

        MD5

        f0e18ddeb04313caa6b28a5e1634d73c

        SHA1

        70c359935a774ff3e82d394c902ad6c3f601e019

        SHA256

        d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

        SHA512

        296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        124KB

        MD5

        f0e18ddeb04313caa6b28a5e1634d73c

        SHA1

        70c359935a774ff3e82d394c902ad6c3f601e019

        SHA256

        d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

        SHA512

        296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C0256EF-594A-11ED-B696-EE6CABA3804C}.dat

        Filesize

        3KB

        MD5

        6e51fefa9f9f94b10f2efa162c6720f5

        SHA1

        feaa3a9ba1650cd707798b5647f8d8307e9db5b9

        SHA256

        699e1bb00cb6c0e4191e8ed24c7bbd1f0c78dcc1324b0c09a7f29837f7a6939c

        SHA512

        526e5b52763c9fcb8bfb6a3b1aff813129b704763b22ee101c659d7a23e838b82ea5e8b85c957c94ddc5a53d2a9ca05864762a51807d25f955738e1cb1599c08

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6C097EB5-594A-11ED-B696-EE6CABA3804C}.dat

        Filesize

        5KB

        MD5

        816555bcff2df8239c771dabfea8e38c

        SHA1

        f6bb3fa7baddb9987dd5aec1ef9a231b328f989e

        SHA256

        90886b9a45846f3d5070ce9a9ba56338b83bce58213b1d1814add99a8e112084

        SHA512

        1db1d44d365a0551a14656a7c276517f013238811e8d7db8ebd62d30ac263f6ba1618ff07c4f3c8c15d141e4a539449baa592086bc64296628c421a3d7caf815

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        124KB

        MD5

        f0e18ddeb04313caa6b28a5e1634d73c

        SHA1

        70c359935a774ff3e82d394c902ad6c3f601e019

        SHA256

        d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

        SHA512

        296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        124KB

        MD5

        f0e18ddeb04313caa6b28a5e1634d73c

        SHA1

        70c359935a774ff3e82d394c902ad6c3f601e019

        SHA256

        d3d1e572afbb0158b52b787342f5ce72baebed1edbff1844c682dbdc65b20aab

        SHA512

        296355b15b90bfa30a20b22c6bfad39a28fb94d72ce43e918026ad531ace8d5a4fe9e6d895b53c2e0411aaaea7053b016b3c887142ca3205d7f125771e636e47

      • memory/984-150-0x0000000010000000-0x0000000010049000-memory.dmp

        Filesize

        292KB

      • memory/4804-154-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-151-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-152-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-153-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-157-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-158-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-159-0x0000000000400000-0x0000000000459000-memory.dmp

        Filesize

        356KB

      • memory/4804-160-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4932-143-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4932-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4932-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB