Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 10:37

General

  • Target

    9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll

  • Size

    1.3MB

  • MD5

    1ebcc343bd2d2e1f47ac0fed7ec850b5

  • SHA1

    9cd66157339ee7e267df2c6de9a37905b0bf22b5

  • SHA256

    9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26

  • SHA512

    04946480d63ddb58dc866860b98565702bf829c13e9acf8b0e69c724cf6198f7f5e3f07e66977416d3a5e401e989b6d4cce234a5a3ecf81e14c19c2c2d079471

  • SSDEEP

    12288:jSfXvPnSkeJr2F21G0ukd/W8YmU/fI60KbKIkWTVurjUc0u99ARk1FM83pm0OyPW:uPvP8T2onlOYHc4v2ayVpSC

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:780
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1920
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 232
        3⤵
        • Program crash
        PID:2004

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF27AD81-6990-11ED-BB11-F263091D6DCE}.dat

    Filesize

    3KB

    MD5

    b32fb656422ed9b176092e2087ad6344

    SHA1

    5304e2e6535f8688e4890de0fb1733791d535af5

    SHA256

    e6ae5bced3cfafa833d4af85ba9a5eff52bba3ec9042d790935ea680c30e00ef

    SHA512

    b4ccbd1bc9251bef9f99a70cf4d1987916b3833638d0af9c2cde7d906cfbd56c3c59923ce460834eb298205eb9a4f5a04bab7e5ee3e0f67c0b28ee7c0ef9f7ae

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF295B31-6990-11ED-BB11-F263091D6DCE}.dat

    Filesize

    5KB

    MD5

    6e160d701fc2e49641fc5f8a19411893

    SHA1

    4ddf309f38e4ced23c27bb2a31a0a67fcef77e3c

    SHA256

    d74a62fdb194e6660b9321a1f68a29e25efcb2147aae5fe8bb363b600456dcfd

    SHA512

    95633433e87080b88bf0b9cff9f02e90e5a67e86f4b60b85b6801b1ebe7c5da9a5e4ce8a69861f6040c67b992ae4d490f4c077ab16c80b0d6060de0707484de3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAJ6UQ9Z.txt

    Filesize

    601B

    MD5

    a49e7d4ee647a5b1f88806b24256e1b6

    SHA1

    439abe73ddb1c6c3659f2cdb69b298b1b90b4b43

    SHA256

    d8387bc3e92b3c600c3331872d73762da29d1036259d89676ecf66d792a7f002

    SHA512

    c9612d178f43caa2dacb3b65e198c831466c6b1a090ef037af2cf9cd4ab205396d72092a495147b5915933943eba1d2edad51b9ec149a7d1fa192fddd924fdef

  • C:\Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

  • memory/1060-55-0x0000000076941000-0x0000000076943000-memory.dmp

    Filesize

    8KB

  • memory/1060-61-0x0000000010000000-0x0000000010151000-memory.dmp

    Filesize

    1.3MB

  • memory/1060-62-0x00000000006A0000-0x0000000000703000-memory.dmp

    Filesize

    396KB

  • memory/2036-63-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2036-66-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB