Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1cfeed31a2...92.dll

windows7-x64

8

1cfeed31a2...92.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    132s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/11/2022, 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1cfeed31a29583193c9ae6477ce9f4e50b86614a9794833e37792989660a1092.dll

  • Size

    408KB

  • MD5

    073500ec69c090b55df028bb28bc24e0

  • SHA1

    9654bb1883890b822767472ac54dc03791d6ac96

  • SHA256

    1cfeed31a29583193c9ae6477ce9f4e50b86614a9794833e37792989660a1092

  • SHA512

    5065df48ff09066d53b05a2ee714e9572831b4287b96a28306953824bd13eb87c6a29eaeb324afe719b29b04eff864ef9e1c2c991f56a4e587c13fac7464fe09

  • SSDEEP

    6144:N/u6A81l3T4/Db2TcwQGCbA2HiIasZsQeewQeeCQeesQeeKFQeefQeeytPUaYeza:I6A81u7QQGo9iILbtP6YLaYhCmc/Z/

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1cfeed31a29583193c9ae6477ce9f4e50b86614a9794833e37792989660a1092.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\1cfeed31a29583193c9ae6477ce9f4e50b86614a9794833e37792989660a1092.dll
      2⤵
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4648
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:536
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 208
                6⤵
                • Program crash
                PID:4428
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3408
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3408 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3156
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:2052
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 536 -ip 536
      1⤵
        PID:1004

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • C:\Program Files (x86)\Microsoft\WaterMark.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        0ef90204485649be625ea2be1b9018fb

        SHA1

        28fbc0852140ec51d0c097a4962a160afa4d754b

        SHA256

        c8028acd9a8c8c795b87cf835fc3182d003264608f161baa0ca020711b22bca0

        SHA512

        b8bbba0dcc6cb6f87efb47a605953c93fcf93c5a65520b822ebfee25754632d6bb66c2a946f457e1e40a92556683ddb9d14f2703782833e12d7e37bb3b7fcec5

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        434B

        MD5

        6a41fafe19d753217c8c5851c48bd07a

        SHA1

        994b623110f58fcf5d521062363b4beb894cb63c

        SHA256

        507097d5decb92f7a46cb59ac01970e8c1030cfb0cd5347a78a041d183cbf47d

        SHA512

        9d90df06cf40da7c5dc285c70462d24694bcf00ce29e5e9752c137cde8bb5458137be1ebddec5b6c653cc8eae193ac5086f1f30a48cb0689dd39db2c714e81ba

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        59KB

        MD5

        0e0f0ae845d89c22bb6385f64a6b85fd

        SHA1

        0f3f1e7f18ab81572c5ce938d3880d4a5d7100ac

        SHA256

        5a5b85c582d5d4b3b912ee6789babebf8ae6d87330d0d33d87274841952899dd

        SHA512

        baec989a6329a2a60d954e83279fd57ba2000f8ed79e7a02d145bf44a5bffcd9a831c63f4b7d44e40c51e40b1dfbe72c5cebac04d0ce7b2295e3fd191b122350

        Download Submit

      • memory/2116-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2116-142-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/2116-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4648-150-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4648-151-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4648-152-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4648-153-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4648-154-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4648-155-0x0000000000400000-0x0000000000423000-memory.dmp

        Filesize

        140KB

        Download

      • memory/4648-156-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download