Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7e41f43275...49.dll

windows7-x64

8

7e41f43275...49.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 08:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7e41f43275f79de584731ac3682d085df368ec8e844bf3f763d28378132b4849.dll

  • Size

    160KB

  • MD5

    f17a942c372ace091d4e3326b654f911

  • SHA1

    1a13fcb856dd00683674b81ffb40f9b8b4275f10

  • SHA256

    7e41f43275f79de584731ac3682d085df368ec8e844bf3f763d28378132b4849

  • SHA512

    69d12a47223f04f8e21b30f662de56eeba68c9f98fb3dc9aa864f89bb439e069947b982f72ea91a73034ba1142e5b3e382463cf45af4dbc7e8a1c9d2647bfbb0

  • SSDEEP

    3072:K61Ye3TaEu2CoCcn3zO7A4D8XHLC/6CqX2n2sv566sJrlcWAP:HTa12CoCckAe87CnqX2L4JrlcLP

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e41f43275f79de584731ac3682d085df368ec8e844bf3f763d28378132b4849.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3440
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\7e41f43275f79de584731ac3682d085df368ec8e844bf3f763d28378132b4849.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:2176
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4124
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3304
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3224
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3224 -s 212
                6⤵
                • Program crash
                PID:4304
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:3248
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3364
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3364 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1896
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2176 -s 608
          3⤵
          • Program crash
          PID:2272
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2176 -ip 2176
      1⤵
        PID:5080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3224 -ip 3224
        1⤵
          PID:3744

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          95KB

          MD5

          8e617cbfd82e7d8b1e714f2b4f27d84f

          SHA1

          bcf77c9799fd933f23ce344d2c46081dec46ebb2

          SHA256

          75b0313a8289f2e8bef73aa7599d96e661b6d3840fb32d330bc3cd924240b69e

          SHA512

          3809686bd7d4c03cab6ce7e438115ecf224955fe55d2c8784e16d9df1d30c86b047017536435e059a9bda2e30a29263139336ebcab662d2a281f9c7dc2792d79

          Download Submit

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          95KB

          MD5

          8e617cbfd82e7d8b1e714f2b4f27d84f

          SHA1

          bcf77c9799fd933f23ce344d2c46081dec46ebb2

          SHA256

          75b0313a8289f2e8bef73aa7599d96e661b6d3840fb32d330bc3cd924240b69e

          SHA512

          3809686bd7d4c03cab6ce7e438115ecf224955fe55d2c8784e16d9df1d30c86b047017536435e059a9bda2e30a29263139336ebcab662d2a281f9c7dc2792d79

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          3bc8595d0a469edc8b7a071a3befe724

          SHA1

          f7e4b53b01d31626ab7965b267fea4457d798a91

          SHA256

          33c4b30d18fa3eeeed676831973cf8dd8c9a9145e7edcb689efeec0647d685d4

          SHA512

          4969ab6d2239a94d1dfb6105d9a329588ad0e3366ab4af874e033b853adfcadf808eced3466823136221e110accd2bcd5b25b0474b11947aab510f0b92d397d8

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          934a4b28b7f03262a9188f0b8b1ed326

          SHA1

          5e948647165f8834da7b1db699827ea59b9a36f1

          SHA256

          aa98c02bda8c89f876f9b4d4da724a6bdd6434a8e83655b3beb4bee227444b94

          SHA512

          f07b8ed15e64076c93b0d2b37d9c8027bc9b48c3521212abcf8a879aadb692439e0d641032c8fcc15a5f1730b1091224453756ee884e10c15aabb33347124ceb

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          95KB

          MD5

          8e617cbfd82e7d8b1e714f2b4f27d84f

          SHA1

          bcf77c9799fd933f23ce344d2c46081dec46ebb2

          SHA256

          75b0313a8289f2e8bef73aa7599d96e661b6d3840fb32d330bc3cd924240b69e

          SHA512

          3809686bd7d4c03cab6ce7e438115ecf224955fe55d2c8784e16d9df1d30c86b047017536435e059a9bda2e30a29263139336ebcab662d2a281f9c7dc2792d79

          Download Submit

        • C:\Windows\SysWOW64\rundll32mgr.exe
          Filesize

          95KB

          MD5

          8e617cbfd82e7d8b1e714f2b4f27d84f

          SHA1

          bcf77c9799fd933f23ce344d2c46081dec46ebb2

          SHA256

          75b0313a8289f2e8bef73aa7599d96e661b6d3840fb32d330bc3cd924240b69e

          SHA512

          3809686bd7d4c03cab6ce7e438115ecf224955fe55d2c8784e16d9df1d30c86b047017536435e059a9bda2e30a29263139336ebcab662d2a281f9c7dc2792d79

          Download Submit

        • memory/2176-136-0x000000006D100000-0x000000006D128000-memory.dmp

          Filesize

          160KB

          Download

        • memory/2176-156-0x000000006D100000-0x000000006D128000-memory.dmp

          Filesize

          160KB

          Download

        • memory/3304-157-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-159-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-152-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-153-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-154-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-155-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-161-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3304-160-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/3304-158-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download

        • memory/4124-145-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4124-140-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4124-141-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4124-137-0x0000000000400000-0x0000000000429000-memory.dmp

          Filesize

          164KB

          Download