Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    206s
  • max time network
    180s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2022, 17:06

General

  • Target

    94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll

  • Size

    212KB

  • MD5

    049faf33ba7c114d745d210b9135c0a2

  • SHA1

    499cb0addab8ba34f9f3123f70778033db8e88df

  • SHA256

    94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980

  • SHA512

    f47b54a4aa762a3c3c6ad4b736f301b105840ca00249d89d83e8766f4e9145164a04b791629ea9c22b9d52e7bba503f7d0af04bafea121602f03794b11c9a17e

  • SSDEEP

    3072:wgKKuiX63bw5dNjDh8pWVgTlFIYntSUDONp/kYxXUKBAUCkHhDW:hKZp3KNjVGv0Tp/kYxXUPeRW

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:476
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:460
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs
          2⤵
            PID:868
            • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
              wmiadap.exe /F /T /R
              3⤵
                PID:1660
            • C:\Windows\system32\sppsvc.exe
              C:\Windows\system32\sppsvc.exe
              2⤵
                PID:1584
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                2⤵
                  PID:1544
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1244
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                    2⤵
                      PID:592
                    • C:\Windows\System32\spoolsv.exe
                      C:\Windows\System32\spoolsv.exe
                      2⤵
                        PID:1008
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k NetworkService
                        2⤵
                          PID:296
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalService
                          2⤵
                            PID:824
                          • C:\Windows\System32\svchost.exe
                            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
                            2⤵
                              PID:796
                            • C:\Windows\System32\svchost.exe
                              C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                              2⤵
                                PID:740
                              • C:\Windows\system32\svchost.exe
                                C:\Windows\system32\svchost.exe -k RPCSS
                                2⤵
                                  PID:652
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:576
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:416
                                  • C:\Windows\system32\csrss.exe
                                    %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                    1⤵
                                      PID:376
                                    • C:\Windows\Explorer.EXE
                                      C:\Windows\Explorer.EXE
                                      1⤵
                                        PID:1412
                                        • C:\Windows\system32\rundll32.exe
                                          rundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#1
                                          2⤵
                                          • Suspicious use of WriteProcessMemory
                                          PID:1176
                                          • C:\Windows\SysWOW64\rundll32.exe
                                            rundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#1
                                            3⤵
                                            • Loads dropped DLL
                                            • Drops file in System32 directory
                                            • Suspicious use of WriteProcessMemory
                                            PID:1020
                                            • C:\Windows\SysWOW64\rundll32mgr.exe
                                              C:\Windows\SysWOW64\rundll32mgr.exe
                                              4⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Drops file in Program Files directory
                                              • Suspicious use of UnmapMainImage
                                              • Suspicious use of WriteProcessMemory
                                              PID:1492
                                              • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                5⤵
                                                • Executes dropped EXE
                                                • Suspicious behavior: EnumeratesProcesses
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of UnmapMainImage
                                                • Suspicious use of WriteProcessMemory
                                                PID:1988
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\system32\svchost.exe
                                                  6⤵
                                                  • Modifies WinLogon for persistence
                                                  • Drops file in System32 directory
                                                  • Drops file in Program Files directory
                                                  PID:1468
                                                • C:\Windows\SysWOW64\svchost.exe
                                                  C:\Windows\system32\svchost.exe
                                                  6⤵
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:364
                                      • C:\Windows\system32\Dwm.exe
                                        "C:\Windows\system32\Dwm.exe"
                                        1⤵
                                          PID:1348
                                        • C:\Windows\system32\lsm.exe
                                          C:\Windows\system32\lsm.exe
                                          1⤵
                                            PID:484
                                          • C:\Windows\system32\wininit.exe
                                            wininit.exe
                                            1⤵
                                              PID:368
                                            • C:\Windows\system32\csrss.exe
                                              %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                              1⤵
                                                PID:332
                                              • C:\Windows\System32\smss.exe
                                                \SystemRoot\System32\smss.exe
                                                1⤵
                                                  PID:260

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • C:\Program Files (x86)\Microsoft\WaterMark.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • C:\Windows\SysWOW64\rundll32mgr.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • C:\Windows\SysWOW64\rundll32mgr.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • \Program Files (x86)\Microsoft\WaterMark.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • \Program Files (x86)\Microsoft\WaterMark.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • \Windows\SysWOW64\rundll32mgr.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • \Windows\SysWOW64\rundll32mgr.exe

                                                  Filesize

                                                  95KB

                                                  MD5

                                                  406159c750552b5507de7ddc58331f84

                                                  SHA1

                                                  17b76dd75ed8fea0c724665a119eb634e1ce241c

                                                  SHA256

                                                  141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

                                                  SHA512

                                                  158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

                                                • memory/364-93-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                • memory/364-90-0x0000000020010000-0x000000002001B000-memory.dmp

                                                  Filesize

                                                  44KB

                                                • memory/1020-55-0x0000000075091000-0x0000000075093000-memory.dmp

                                                  Filesize

                                                  8KB

                                                • memory/1468-84-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1468-196-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1468-78-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1468-88-0x0000000020010000-0x0000000020022000-memory.dmp

                                                  Filesize

                                                  72KB

                                                • memory/1492-70-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                • memory/1492-63-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                • memory/1492-64-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB

                                                • memory/1988-83-0x0000000000400000-0x0000000000476000-memory.dmp

                                                  Filesize

                                                  472KB

                                                • memory/1988-81-0x0000000000400000-0x0000000000476000-memory.dmp

                                                  Filesize

                                                  472KB

                                                • memory/1988-195-0x0000000000400000-0x0000000000421000-memory.dmp

                                                  Filesize

                                                  132KB