Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    186s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/11/2022, 17:06

General

  • Target

    94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll

  • Size

    212KB

  • MD5

    049faf33ba7c114d745d210b9135c0a2

  • SHA1

    499cb0addab8ba34f9f3123f70778033db8e88df

  • SHA256

    94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980

  • SHA512

    f47b54a4aa762a3c3c6ad4b736f301b105840ca00249d89d83e8766f4e9145164a04b791629ea9c22b9d52e7bba503f7d0af04bafea121602f03794b11c9a17e

  • SSDEEP

    3072:wgKKuiX63bw5dNjDh8pWVgTlFIYntSUDONp/kYxXUKBAUCkHhDW:hKZp3KNjVGv0Tp/kYxXUPeRW

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3108
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\94eed138dd1d5bfc0096ce68fab320f9c19715c2b80e28389de2d459cccaa980.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:5016
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:5012
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:1740
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 208
                6⤵
                • Program crash
                PID:1116
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1748
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1748 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2352
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2828
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1740 -ip 1740
      1⤵
        PID:652

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        95KB

        MD5

        406159c750552b5507de7ddc58331f84

        SHA1

        17b76dd75ed8fea0c724665a119eb634e1ce241c

        SHA256

        141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

        SHA512

        158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

      • C:\Program Files (x86)\Microsoft\WaterMark.exe

        Filesize

        95KB

        MD5

        406159c750552b5507de7ddc58331f84

        SHA1

        17b76dd75ed8fea0c724665a119eb634e1ce241c

        SHA256

        141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

        SHA512

        158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        80f22efce2b9390a36eea98657b6d1f4

        SHA1

        150d40f67639fccd130d8616ddc0cf623b491905

        SHA256

        227fafbbbd678543e247cfdbf8b5ff60e8fc576da70c2a3f0f735cab2652dd2d

        SHA512

        e2dc713b48477f7c98c0a0d42306745133476876805b4861ba1d76b11f3e9067fc83f3bc6ea350c1298f54dd3ff3ec00e0cb08fff5618df7d0f723900b93ddf4

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        434B

        MD5

        e383549ad8e74ad8fdfa2c9423ad69a2

        SHA1

        f9363c4ec7cad357be99d829f49ff7914fd15495

        SHA256

        1c6413471d0e683d18f44783e33a36678fb720aed1932a315b19757c6b1422d2

        SHA512

        bb81e56fda729a57e4f90b61abdb2656f8cf475cc461a8f2a0ac5cde0b06e783c05e41fa337d7934228b78fe87c209b462fcab1d624b10e9211402d9b140d7ba

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{52C9B5F8-5F58-11ED-B696-F6DE28FD18F9}.dat

        Filesize

        5KB

        MD5

        52800c935d1bc21668ee7682df2a332f

        SHA1

        d0b88b49ece3670194f8edb8cfb0def38d31a11e

        SHA256

        1238d83436949aabf847f51706055b4f55a6ad97979883d7f3f59a1c74613eaa

        SHA512

        d347d82a7c7bff7d7899e0bc6fd71f0235edf9ea816f2e1cdb573fb6151182424fd297ad3c2c2c7dbc8ad40298c8353fd71df23330cf524781eb0c639fd284f8

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        95KB

        MD5

        406159c750552b5507de7ddc58331f84

        SHA1

        17b76dd75ed8fea0c724665a119eb634e1ce241c

        SHA256

        141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

        SHA512

        158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        95KB

        MD5

        406159c750552b5507de7ddc58331f84

        SHA1

        17b76dd75ed8fea0c724665a119eb634e1ce241c

        SHA256

        141f156e86923e77eaf86e4889a3a860bee9409849638b825bbf970d72b8f3cf

        SHA512

        158ae6a016e94ec57b3213301c27953b59367294a0888634a4a952a8c569975aeaf5bad70f8649510cbb7e7c6ce7d1232535e22dad8b6b7f16f21a42d4630a0f

      • memory/5012-148-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-145-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-150-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-153-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-155-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-156-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-157-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/5012-158-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/5016-142-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/5016-139-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/5016-138-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB