Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    97s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 23:00

General

  • Target

    f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll

  • Size

    204KB

  • MD5

    a16e83a2617be2ff5e86b6b2de237312

  • SHA1

    7c7e5ebffa3be85ac226bacb5fbe9cd96426c0cd

  • SHA256

    f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773

  • SHA512

    35f26cd09f31b788839d431ff951c97f33c92532015d5db4cec2a5a5dbbb8374ca957a433802a30265964616104dce2f3b9b0f8716fc9cf9c348e615561f2c92

  • SSDEEP

    3072:tZmu9K33WSwdJ/tILtAPrL+oxdvKjD4NCgKZrYBcYznTbKXa:t8b33QqUrSJDZrY+YTTbKXa

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\f8def8b24b0be3bbcaa206f280b56721146c5ab08561a8cdffb29c30a30c1773.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3708
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4908
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:792
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 204
                6⤵
                • Program crash
                PID:4964
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4524
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4524 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4220
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2584
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2584 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4444
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 792 -ip 792
      1⤵
        PID:4448

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        deabbdcb221537d48aed54816739f367

        SHA1

        9ce0f0d21d9bd08823732047e19edbbd909396bc

        SHA256

        494de69d83714780f68a1e6871716f3a4a10835e90b4f96e48610c3e8f39e9cf

        SHA512

        95a80c34ddb83e74e51e5d0884dc7433de78b956db8fb2b1fb54e0f158283991edacafd3e7653161767a69f25f9cf537cc1a654d20e3f27bbc54588b3b4bf5e8

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        434B

        MD5

        b2e6572cce5c74a1aa710a97bf44b159

        SHA1

        d4e70fec042752768bcac06e74bfb26b24e22e65

        SHA256

        c73c8f33ef1a6e673fa6a41d4c6018bb530c11e16c2c865221255a2cdc7732fe

        SHA512

        dc8645879fad3a34ebc8638e37eaf47ea33a06d5935d286c0448cabc0dfbea4bb541523cb98e56ddbdad14d4315253bcb6510b5ce98a09220d75e322a6d3d574

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2188FC48-5949-11ED-B696-EE6CABA3804C}.dat

        Filesize

        5KB

        MD5

        3159cd3c2f1ee733c9da098cd9783147

        SHA1

        fb39add780f4c74b370d6bf65c5b7469f0360758

        SHA256

        978d55b5d38bf4eb4642e236ac6abf424e9616fa352c6607c3271cc1cc31ed1e

        SHA512

        af20638711e18df861e3f5efda20571ed8ff7d662d46cd79fb18cc9b5b836c35f4f2e1b51b3a88f05253851f2912dc3936e1d6b223e7c81d510f6234680ea23c

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{218B60A1-5949-11ED-B696-EE6CABA3804C}.dat

        Filesize

        5KB

        MD5

        1d5de58cdce72dc6b0e3645e0f6840c3

        SHA1

        5894b83ce65d1dd48803245475b0d9ecd25ea9e6

        SHA256

        cf6ab39e18162ace2088297a61a43f4ca3e1f6f1e5091ea5024409d5761c28ff

        SHA512

        5c8db4b5645bbc4302068e3cfc33a2e957a08e99c2537204ddf5f6b41243744edf04c31b0cb5ab5b8075c5013350b12ce4df2b97485c4c0419db3179d1ee7906

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

      • memory/3708-140-0x0000000074D30000-0x0000000074D65000-memory.dmp

        Filesize

        212KB

      • memory/4908-154-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4908-159-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4908-162-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4908-161-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4908-155-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4908-156-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4908-160-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4920-142-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4920-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4920-143-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

      • memory/4920-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4920-151-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4920-141-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB