Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

5261bf6c5a...4d.dll

windows7-x64

10

5261bf6c5a...4d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/11/2022, 10:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d.dll

  • Size

    146KB

  • MD5

    3db02f7484620ed80e7a061b404e9670

  • SHA1

    1cc1fcd5ad4016fe6c8a0d818f8689c0974f48ba

  • SHA256

    5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d

  • SHA512

    42019f6522df70772c1b8e2a6eb3a075abd79cc332d8101f504bcf0030568a46df0cfde90fc69488398feb8d9a22b50d6ed99d7e5aef5848268b1a18afe271ab

  • SSDEEP

    3072:i0X2G5DFaSgjvVdtThFK8+eN0YsNHC8G9ciejdsZC7H:io2iMj5h+dRHpKcOg

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4956
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\5261bf6c5a4f164a30a156228fcb462ef494b13f09e0118281e4bab09bf85b4d.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:4836
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2864
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2104
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2104 CREDAT:17410 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2912
  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    C:\Windows\SysWOW64\rundll32SrvSrv.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4976
    • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4660
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe"
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2024
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2024 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2248

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    cb295ed32b0acd9eac87bcc961fb315a

    SHA1

    a580f2d38c9d1611e25b6aaa3d79b54eb34d3ebe

    SHA256

    980abeaa872503211925db8acf8bdcdff0bc3c6deb2182fd698f6a444d2625be

    SHA512

    974f48bdfb8ea90a49cfa25cacc98c9a145702f4e4967dd6ffddd5eaee6144189499682e80b342708e04f812006314b04e5715492170d0f63c7b0530e9cd399a

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    434B

    MD5

    a5735dcd9bd42305c0629ed8e80478b2

    SHA1

    7edab1e1661720a035c14506e4a8771da7052e4a

    SHA256

    9c752111a055d4bbc1ead233b5e50cdacd1a8dfab888ba00294dd4db5d0de6db

    SHA512

    e8e2f84f0966b85e94ac303a19fd46f7edb2b4b5b2af9278bd30938bae2f8fdc6d22f17ab565d0701e3708ed1651734a6cc792c725e8cdee49eeeec31e596f33

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84082CD2-698B-11ED-A0EE-D64C4877EDD1}.dat
    Filesize

    5KB

    MD5

    5c3ff7940dcd47b794d5921f6e55afff

    SHA1

    9c812cd6816fe6fac3e389d86d67033d8917889e

    SHA256

    5332a4e06180b62f3a1472c9eb28ca793ab2090b5255bf28b3d6029d540d910f

    SHA512

    74cd68b32ab4bb8f794d5d55ea39ed9cf9651d597382a13c1af5ca215d1bf4832d66006e28d3bda7753431ddff8b7277a28349b26abee63969d8d0f63c077d51

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{84141CC3-698B-11ED-A0EE-D64C4877EDD1}.dat
    Filesize

    5KB

    MD5

    90b0d682bde2275747117e126e9513fb

    SHA1

    ade2caa8582534631725bd97e6b62cc9bc113d28

    SHA256

    6799ff3e6a1d2cec9a47f5617cd8fe65e1fb0c9fb54970f595cad6c068bf111a

    SHA512

    88a3c470ee08aac108a5c0fe52387ff4b53cf5bf30120de5309cf2263e8dc8c4a1630e647580e888587bc92ba1f9e7d66460fd33a7a6a0d6340fd9d99aafeec9

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Windows\SysWOW64\rundll32Srv.exe
    Filesize

    111KB

    MD5

    309d79d766e9b9025d15adc1aa5ecf52

    SHA1

    cd2b67a54850229ea8b1e8b82270ccdf0bb088e8

    SHA256

    3d3a07dcc43505b2ecafaa8fc4164a70f66a234c894a7f902444a6fa82e07868

    SHA512

    63cfcfe9ebfd634a1a248eca12d174854c5d828d2e610fb3f65e9a5d5106969f212ec466933e4d6afee2e5e4cd31998ea844c0c1f4ccdd78fa10a24650567308

    Download Submit

  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • C:\Windows\SysWOW64\rundll32SrvSrv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/2864-140-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2864-146-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/2864-144-0x0000000000550000-0x000000000055F000-memory.dmp

    Filesize

    60KB

    Download

  • memory/4660-151-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4836-138-0x0000000010000000-0x0000000010029000-memory.dmp

    Filesize

    164KB

    Download

  • memory/4976-147-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4976-145-0x0000000000430000-0x000000000043F000-memory.dmp

    Filesize

    60KB

    Download