Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

aa42b46d10...0d.exe

windows7-x64

10

aa42b46d10...0d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    06/11/2022, 20:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d.exe

  • Size

    111KB

  • MD5

    0528fe938aaf7d057836ef38fc544600

  • SHA1

    8b5509a6684ce0f65b8cbb4c644d9d9b01587306

  • SHA256

    aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d

  • SHA512

    ffdf46731aa4aae9b286bd38b1a45d696049cbd7ed95fa182a4ac24d1322360878f4142f4b130bbcdb6a11c123145e6fa961f9db8116e88ccb1a8f6d55aac630

  • SSDEEP

    3072:TROzoTq0+RO7IwnYY1z3kggaPhVDs8F5FGTS:1kdNwB3nDbG

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 4 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Loads dropped DLL 4 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d.exe
    "C:\Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1760
    • C:\Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740dSrv.exe
      C:\Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740dSrv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1064
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1660
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:840
      • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1268
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1716
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:380
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:380 CREDAT:275457 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:772
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:856
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2024

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    111KB

    MD5

    0528fe938aaf7d057836ef38fc544600

    SHA1

    8b5509a6684ce0f65b8cbb4c644d9d9b01587306

    SHA256

    aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d

    SHA512

    ffdf46731aa4aae9b286bd38b1a45d696049cbd7ed95fa182a4ac24d1322360878f4142f4b130bbcdb6a11c123145e6fa961f9db8116e88ccb1a8f6d55aac630

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    111KB

    MD5

    0528fe938aaf7d057836ef38fc544600

    SHA1

    8b5509a6684ce0f65b8cbb4c644d9d9b01587306

    SHA256

    aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d

    SHA512

    ffdf46731aa4aae9b286bd38b1a45d696049cbd7ed95fa182a4ac24d1322360878f4142f4b130bbcdb6a11c123145e6fa961f9db8116e88ccb1a8f6d55aac630

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BC4F5F1-5E51-11ED-9ECC-C253C434FFA8}.dat
    Filesize

    3KB

    MD5

    6278ee11f0777f5f01cb0f9d631ab055

    SHA1

    86280c2411579f1f691c03997ddbe6675a80608b

    SHA256

    e3612f852e4a6be64b01ef42f392f79f583bed2cdcd0f97d3ac5c819a32c3701

    SHA512

    d604d1ac9fd209dd0b8d62dce1449033b73230a715f1401a7eec23c54dc6e5a01cf23993045b3fe5075ee1d0e3e70611b26c988507600d523e76a29d89f6b696

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BF777A1-5E51-11ED-9ECC-C253C434FFA8}.dat
    Filesize

    3KB

    MD5

    7f6e8747af10920881aa9e65fb43e085

    SHA1

    1a0b20d5aafe395abe5c62f2d8565175fa8e190f

    SHA256

    ac073de116108735c5c58c69edab97bd45d236d84f5398061402e16b5c632dc8

    SHA512

    65bb17998ca369a857cc75624ab0f3ef13b323bc47a46325314bb2ed48b8881d1fa7eedfc10a5e05dad9d04e8b7441041ab8a06548098e21c6cb14697ba3ddf7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5BF777A1-5E51-11ED-9ECC-C253C434FFA8}.dat
    Filesize

    5KB

    MD5

    db64e082b73fb8263cd94ef58a8a6bd9

    SHA1

    d76d1167536f5af6531483c0bc306ceed1445b46

    SHA256

    e71f3c6fe983aac0e07394709d9414b32b9d62db6e03eb12d0a218ab8b49d9c1

    SHA512

    ac56097a6edace46ee1af528cfb4316a21ed1ac5a040b6f51954395d8c80bdbdd836173c3592d27efecab2bd893953e16aa7f6787304804968755969cdb182a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740dSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740dSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\Q5OWG2Z8.txt
    Filesize

    608B

    MD5

    fc885c2e348babab9d88bdf0a0e5f304

    SHA1

    f361dc8b65481543f1748cc4e3893c314339bed8

    SHA256

    de9d35c8f5d3dbaaee4171048b2d0ef45322a8e830d374d742e9bc27044ad98c

    SHA512

    f1404e8b4d1d2291252ecaff71c4af7cf486108825d1197412ddc8caa10f9823026e5a9ea4ff2027a762a0246bdd72212c5776391ce5aa17eeb83d5a4db82892

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    111KB

    MD5

    0528fe938aaf7d057836ef38fc544600

    SHA1

    8b5509a6684ce0f65b8cbb4c644d9d9b01587306

    SHA256

    aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740d

    SHA512

    ffdf46731aa4aae9b286bd38b1a45d696049cbd7ed95fa182a4ac24d1322360878f4142f4b130bbcdb6a11c123145e6fa961f9db8116e88ccb1a8f6d55aac630

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Program Files (x86)\Microsoft\DesktopLayerSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\aa42b46d10c0f7817bde4ae103d536f9c25244b460313716d9fb05d713e4740dSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/840-70-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1268-75-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1332-63-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1716-79-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1760-62-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

    Filesize

    8KB

    Download