Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    131s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    21/11/2022, 10:37 UTC

General

  • Target

    9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll

  • Size

    1.3MB

  • MD5

    1ebcc343bd2d2e1f47ac0fed7ec850b5

  • SHA1

    9cd66157339ee7e267df2c6de9a37905b0bf22b5

  • SHA256

    9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26

  • SHA512

    04946480d63ddb58dc866860b98565702bf829c13e9acf8b0e69c724cf6198f7f5e3f07e66977416d3a5e401e989b6d4cce234a5a3ecf81e14c19c2c2d079471

  • SSDEEP

    12288:jSfXvPnSkeJr2F21G0ukd/W8YmU/fI60KbKIkWTVurjUc0u99ARk1FM83pm0OyPW:uPvP8T2onlOYHc4v2ayVpSC

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\9d6b9cfba1c67c0e9cde3efb375b848ed2386eb333b8d22b6817a65d1d233c26.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2036
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:780
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:780 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1920
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:744 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 232
        3⤵
        • Program crash
        PID:2004

Network

  • flag-unknown
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    afd.e-0001.e-dc-msedge.net
    afd.e-0001.e-dc-msedge.net
    IN CNAME
    e-0001.fbs1-e-msedge.net
    e-0001.fbs1-e-msedge.net
    IN A
    13.107.46.80
  • 204.79.197.200:443
    ieonline.microsoft.com
    iexplore.exe
    152 B
    3
  • 204.79.197.200:443
    ieonline.microsoft.com
    iexplore.exe
    152 B
    3
  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
    192 B
    1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.46.80

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF27AD81-6990-11ED-BB11-F263091D6DCE}.dat

    Filesize

    3KB

    MD5

    b32fb656422ed9b176092e2087ad6344

    SHA1

    5304e2e6535f8688e4890de0fb1733791d535af5

    SHA256

    e6ae5bced3cfafa833d4af85ba9a5eff52bba3ec9042d790935ea680c30e00ef

    SHA512

    b4ccbd1bc9251bef9f99a70cf4d1987916b3833638d0af9c2cde7d906cfbd56c3c59923ce460834eb298205eb9a4f5a04bab7e5ee3e0f67c0b28ee7c0ef9f7ae

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DF295B31-6990-11ED-BB11-F263091D6DCE}.dat

    Filesize

    5KB

    MD5

    6e160d701fc2e49641fc5f8a19411893

    SHA1

    4ddf309f38e4ced23c27bb2a31a0a67fcef77e3c

    SHA256

    d74a62fdb194e6660b9321a1f68a29e25efcb2147aae5fe8bb363b600456dcfd

    SHA512

    95633433e87080b88bf0b9cff9f02e90e5a67e86f4b60b85b6801b1ebe7c5da9a5e4ce8a69861f6040c67b992ae4d490f4c077ab16c80b0d6060de0707484de3

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\OAJ6UQ9Z.txt

    Filesize

    601B

    MD5

    a49e7d4ee647a5b1f88806b24256e1b6

    SHA1

    439abe73ddb1c6c3659f2cdb69b298b1b90b4b43

    SHA256

    d8387bc3e92b3c600c3331872d73762da29d1036259d89676ecf66d792a7f002

    SHA512

    c9612d178f43caa2dacb3b65e198c831466c6b1a090ef037af2cf9cd4ab205396d72092a495147b5915933943eba1d2edad51b9ec149a7d1fa192fddd924fdef

  • C:\Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    105KB

    MD5

    98a8ced05b34189b8b36760049b2ea36

    SHA1

    a5271250fb91d891c7df0cae7812ed68907ae076

    SHA256

    e50689964fa016ff34ad6517bb863e26e571f907635e719f1fe5e70a61763d95

    SHA512

    8548b7dc08007fe55e2b7f9bf502c7271655edff52100bb8445a321f37137139c0cd54f7f85558a2f99b38dd574c8435371adc07f8c365bf8a8561c63fe6be45

  • memory/1060-55-0x0000000076941000-0x0000000076943000-memory.dmp

    Filesize

    8KB

  • memory/1060-61-0x0000000010000000-0x0000000010151000-memory.dmp

    Filesize

    1.3MB

  • memory/1060-62-0x00000000006A0000-0x0000000000703000-memory.dmp

    Filesize

    396KB

  • memory/2036-63-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

  • memory/2036-66-0x0000000000400000-0x0000000000463000-memory.dmp

    Filesize

    396KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.