Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

ef712a3bc4...cc.exe

windows7-x64

10

ef712a3bc4...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/10/2022, 15:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ef712a3bc4d407164b90e871a13fb8162c6649b8ae2cb9ab0f1ad1becb49decc.exe

  • Size

    123KB

  • MD5

    82a10854ec4367256e19e8387a39af90

  • SHA1

    e1398773ca84efd6cda8accd1d37590b292b4eee

  • SHA256

    ef712a3bc4d407164b90e871a13fb8162c6649b8ae2cb9ab0f1ad1becb49decc

  • SHA512

    e6f63ecf235f6e89dc2028e32586bc3e853680efb54e147a56006754e79b6ab825ea543bffb73e2138e536d33877caa3ab139af8c0e681136d108b4191305aab

  • SSDEEP

    1536:zZnxm6MG9xgfrvEaoiT/GyphjXDYjKwttoswRmhApEC2v7i55XrUN:NnxwgxgfR/DVG7wBpEC2v7E7U

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 1 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 43 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef712a3bc4d407164b90e871a13fb8162c6649b8ae2cb9ab0f1ad1becb49decc.exe
    "C:\Users\Admin\AppData\Local\Temp\ef712a3bc4d407164b90e871a13fb8162c6649b8ae2cb9ab0f1ad1becb49decc.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Program Files (x86)\Microsoft\WaterMark.exe
      "C:\Program Files (x86)\Microsoft\WaterMark.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:4976
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1536
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 84
            4⤵
            • Program crash
            PID:2388
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1448 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3140
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:816
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:816 CREDAT:17410 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1804
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 1536 -ip 1536
      1⤵
        PID:1216

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        123KB

        MD5

        82a10854ec4367256e19e8387a39af90

        SHA1

        e1398773ca84efd6cda8accd1d37590b292b4eee

        SHA256

        ef712a3bc4d407164b90e871a13fb8162c6649b8ae2cb9ab0f1ad1becb49decc

        SHA512

        e6f63ecf235f6e89dc2028e32586bc3e853680efb54e147a56006754e79b6ab825ea543bffb73e2138e536d33877caa3ab139af8c0e681136d108b4191305aab

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        123KB

        MD5

        82a10854ec4367256e19e8387a39af90

        SHA1

        e1398773ca84efd6cda8accd1d37590b292b4eee

        SHA256

        ef712a3bc4d407164b90e871a13fb8162c6649b8ae2cb9ab0f1ad1becb49decc

        SHA512

        e6f63ecf235f6e89dc2028e32586bc3e853680efb54e147a56006754e79b6ab825ea543bffb73e2138e536d33877caa3ab139af8c0e681136d108b4191305aab

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        5ddb1febcd291eb59d3d67d24a05bfd0

        SHA1

        fe957affe27cb991f332e7f5c86d3a15359bd3b9

        SHA256

        ec45a385c906b3d925ebbe6532d10adec9a14c1733c756c64db5133bd9d88dcb

        SHA512

        62d00893402fae125ae3428da2495b0eb864b125f975cd887f894f7298a4a86f361cf50aaa7c9b69f3dcb734a950c43472778ea4062b3146c3de5623d08dcd21

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        09bc8328ac7b972003fa9010f4e33eb0

        SHA1

        d4083fd48154198e4dba7a9ed5dd920ca68e7561

        SHA256

        ba52e573a8e936185024e78d9fc4eeb4da23b9c81334b68ebd94eb26a6438330

        SHA512

        314afde2027d811a1473380b8a1c4147b2d3ac32180583ac3aada85eb07356ac68b41e2f9c262ab263315c79f608a2731be0b2269c2015038e38dd03e31bb8e9

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B373426A-58EC-11ED-89AC-F22D08015D11}.dat
        Filesize

        5KB

        MD5

        5d78d8eba6e625e90bbd9cd9b3f13478

        SHA1

        6c3dda76ca8f6487ebc199995da2932a66d035a8

        SHA256

        db5419bfcc752a46e13c7702973c21190a383b73fcf420a15019ad358d2bad89

        SHA512

        3924f711d3c81cee898c6c53076b6f10dcc64d946e528d1ce43a29a6dabc8cbd93260e2d08f2f5daf6b231e68905dd10258dd31cd28a3ae84987ca9bed40877c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{B37A6886-58EC-11ED-89AC-F22D08015D11}.dat
        Filesize

        5KB

        MD5

        b057a6ec30cf35dba1e382b422fd9a6b

        SHA1

        396fd2b2f572e99f7f46a4dee3f95670afbb2eba

        SHA256

        193fbb97b8536144a869b10b21509d7bcd6f1047eeefd71bcf7fd54d1d54a07e

        SHA512

        5ba70f5d96458e45cfca42a237d8a8dcf1cf46e89005561a17d99547b573e142fef8f7d09e3967b263b39ac53d1fbd1856781191398db5fcc5dc1465afa91719

        Download Submit

      • memory/4976-148-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-146-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-147-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-145-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-153-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-154-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-155-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/4976-156-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5000-132-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/5000-140-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5000-136-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/5000-135-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download