Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

18dc15f414...13.dll

windows7-x64

10

18dc15f414...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 23:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18dc15f41427c95f60223f932d4824bac7ace4e10d1bc80e5795073d9a6ff313.dll

  • Size

    232KB

  • MD5

    a2318417e27e7217a2e9cbc74037d740

  • SHA1

    f67755a65ea0048eee267cb40d6bf9ef667c257e

  • SHA256

    18dc15f41427c95f60223f932d4824bac7ace4e10d1bc80e5795073d9a6ff313

  • SHA512

    b29ecf4e4893e402f1d87a735923d86fe306f30e1b405bcff8fe9c1f4b3a5df5ad2f5b45948fde829559d4faf3574c7c1d6fb5d16dc20582614886ef0e95d82b

  • SSDEEP

    3072:SCuuNCRs/Pj03pJEEC9ti9pocimFFVW6E1fZim4v5TRRJBYeBTg4vRPW9vc/Bm6+:SCIGPj038tAgFMldWNX+VBBRdCcvfr8d

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\18dc15f41427c95f60223f932d4824bac7ace4e10d1bc80e5795073d9a6ff313.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4992
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\18dc15f41427c95f60223f932d4824bac7ace4e10d1bc80e5795073d9a6ff313.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1044
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4504
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 204
              6⤵
              • Program crash
              PID:2424
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 204
              6⤵
              • Program crash
              PID:3164
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4628
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4628 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1396
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4824
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4824 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 608
        3⤵
        • Program crash
        PID:2336
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 608
        3⤵
        • Program crash
        PID:1600
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1044 -ip 1044
    1⤵
      PID:4904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4504 -ip 4504
      1⤵
        PID:3304

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
        Filesize

        779B

        MD5

        004e1f9f2b4726e5564e16c49fb4a831

        SHA1

        b57e588e3371a7fee13eaa737aefdf4e126dcf51

        SHA256

        bad8f107566ae2c13676df6b3c67da0642b6c850a6705acac03f460a6adb8dab

        SHA512

        5971b426d98c2f4e66708d490f513d66f85b89aa31479ec8e60e6b54b2afe32b77cf8d853d367f5ee173685129d0ba179739be5cf72a11a641d1cee6a28c75c4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C
        Filesize

        779B

        MD5

        004e1f9f2b4726e5564e16c49fb4a831

        SHA1

        b57e588e3371a7fee13eaa737aefdf4e126dcf51

        SHA256

        bad8f107566ae2c13676df6b3c67da0642b6c850a6705acac03f460a6adb8dab

        SHA512

        5971b426d98c2f4e66708d490f513d66f85b89aa31479ec8e60e6b54b2afe32b77cf8d853d367f5ee173685129d0ba179739be5cf72a11a641d1cee6a28c75c4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
        Filesize

        340B

        MD5

        d91f5d26a78d313236a162c2cde6863b

        SHA1

        57b101b636b00f741c29566a79170d2e93e28878

        SHA256

        1852e1294db4c11987b4bef6420fd858d8df1e364bc17ea87502a2b0319de358

        SHA512

        41109694d7207d4c2a69d72683e985f921a65644a7eb1cebb28a0ee0547c8c26333a5aacf805785ce70eb26e8888bdc42f726eecbffb03deb027b8b7ad6f381e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
        Filesize

        246B

        MD5

        3db2e51f17e30894eb2d681ba08ddffa

        SHA1

        b47838a1c7229390482c923615a79bfed6745536

        SHA256

        295ba9d0b1c0744023f2bbed7cb92fbbeea31c45733cb4ff5473e433175d1bf2

        SHA512

        002fc8d61f978d46a97484e0a90779e6b85f6f18309ec01eb77dcdbfa03d8d082fcab6a5d87ef303252f874ea5a8001dacb380142f1542428d97a979e14c10f6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C
        Filesize

        246B

        MD5

        5a4116d0952b102268aa64d11098652f

        SHA1

        cb1e721cd198fd370c3cb9d488b21c546f1a0da9

        SHA256

        7c8693d4ea143b55deafe55c3a9dec79d11c50a4a55f0aa1b0b388d6d72b6c6d

        SHA512

        7b0888885f03c8962f18f26450f33f236d03890048af41e598b61272e22684465109d3dad97be96f595436ffe8ffc08921f7166e19a86fc5de7fa75b86e9f001

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A1338ABE-594C-11ED-89AC-FA09CB65A760}.dat
        Filesize

        5KB

        MD5

        96385c378cd22d0efee5ac8591faedbb

        SHA1

        13b2c750ecd943131c9e8b7938ee2c065dafb82f

        SHA256

        560f612b6f5c2cc209e8532b6fb8503112e1e92e8ec8519b59adcd37673d7f40

        SHA512

        1922a09625e3a19a9fabb335b9ac56226c117afab69fa581c1ef29f62a90049657b37cd0a6e481f4d63bab5c48bab3977f9dffad82532f9ac9bff07bbeba330b

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{A133B1CE-594C-11ED-89AC-FA09CB65A760}.dat
        Filesize

        5KB

        MD5

        6fc9995180efb57eab4dece9e02e4d99

        SHA1

        17fa96cb532646b63ba4c95c07307410532f4bd1

        SHA256

        95d0dd841292a539ac877da3fd7f52b36ec976165302bdc30dde58dcd3a247eb

        SHA512

        a1049e31a267f909f5e2eae0d37a3948854c21141059c1414bdc10e8b932412f94b748c503f32df37ec6e7aecbad206320163bae7d3864cd99440487604ae986

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • C:\Windows\SysWOW64\rundll32mgr.exe
        Filesize

        65KB

        MD5

        849ef19ec0155d79d4fa5bfb5657b106

        SHA1

        eb7e7ff208ecb40d35755d8f36e31e2482166299

        SHA256

        8b853e963eab5aa857b640be1d07d605a8bf6dd8bdf8884505b05034bbd87e04

        SHA512

        30384d9943f7eca4efbdcac52d3dd9c14446a2d75dc04ce4047feabe037c5177138f6bdcb055939dcc47608dfb50a54c9676f795d850c9a9de353f90252053a2

        Download Submit

      • memory/1044-143-0x0000000010000000-0x000000001003E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3416-145-0x0000000000460000-0x0000000000481000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3416-149-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3416-146-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/3416-144-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5116-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5116-140-0x0000000000640000-0x0000000000661000-memory.dmp

        Filesize

        132KB

        Download