Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    100s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2022, 19:35

General

  • Target

    aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll

  • Size

    156KB

  • MD5

    be04cb75888afe3e1076f03ea7437d81

  • SHA1

    69048dd422408cdb8537f6dbd0cdee6a90f70e93

  • SHA256

    aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa

  • SHA512

    e31eaf8e958d153e7c2c3ee1f4962a908ac6256fd217a440fb58f1522d09f53b056606aef43f5621be5a34298b7d519069c9ae65e15c98ff27c17df310a98dab

  • SSDEEP

    3072:3vY2M8wRBjnPWMowyrR1PFOH4jI/PGYMFMQ1iK9LhBttAXOeIZQoXT3V:TiPWMowyrDC4jI/PGr1i+hBRqo

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
  • Modifies security service 2 TTPs 3 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • UAC bypass 3 TTPs 1 IoCs
  • Windows security bypass 2 TTPs 6 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
  • Modifies registry class 18 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs
  • System policy modification 1 TTPs 1 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4772
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\aba55ba555f43f1fccb63b640c87a347bbca236bf19107dd1f33412cefb03baa.dll
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4840
      • C:\Users\Admin\AppData\Local\Temp\oJfxHI1K
        "oJfxHI1K"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\system32\svchost.exe
          4⤵
            PID:4720
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 208
              5⤵
              • Program crash
              PID:3304
          • C:\Program Files (x86)\Internet Explorer\iexplore.exe
            "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4844
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1784
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4280
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1784 CREDAT:82948 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2776
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            4⤵
              PID:5012
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 208
                5⤵
                • Program crash
                PID:1924
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:3476
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                5⤵
                • Modifies Internet Explorer settings
                PID:3092
            • C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe
              "C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe" elevate
              4⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:3780
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe"" admin
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4944
                • C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe
                  "C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe" admin
                  6⤵
                  • Modifies firewall policy service
                  • Modifies security service
                  • UAC bypass
                  • Windows security bypass
                  • Executes dropped EXE
                  • Windows security modification
                  • Checks whether UAC is enabled
                  • Suspicious use of AdjustPrivilegeToken
                  • System policy modification
                  PID:4384
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4720 -ip 4720
        1⤵
          PID:4208
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5012 -ip 5012
          1⤵
            PID:4028

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            471B

            MD5

            dedb504b3469b24ec0df79c68f5772e2

            SHA1

            177a8b1045b456316ca32d90aba942bf34774c64

            SHA256

            e18111fd56db31f02eb16990f0bbc7991a0c80571703281ee66010e229c9f8b0

            SHA512

            101312fa01991caeaef010d0d21e740244cb3768490a1b82ae12e7524e50b6e7f2e23c08978ac4c373e9013baa0a8f50de8e1994341556b78ecd88ce13df5680

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

            Filesize

            434B

            MD5

            0717b0681d2359f3f14d6a420ab9c3f3

            SHA1

            56dd502a9a09ce2da4329219b577e76359166bd0

            SHA256

            5fe63252140a37bbdff8e3868d763985a616470cd0a8bb2faa3e4496338c6dd2

            SHA512

            cb62ee113d70732aa600996575c922790177f912d8dc45a6066354d8ed578d0d3cda493e2eafebfed6768b4f14b7ea11ab320662ce6c0b877ff5bbb72c236b80

          • C:\Users\Admin\AppData\Local\Temp\oJfxHI1K

            Filesize

            99KB

            MD5

            2f5964aefc23c144312263bcde6f4c29

            SHA1

            7235402d08be134c24289c202b21437cfdee6a44

            SHA256

            9c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831

            SHA512

            afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869

          • C:\Users\Admin\AppData\Local\Temp\oJfxHI1K

            Filesize

            99KB

            MD5

            2f5964aefc23c144312263bcde6f4c29

            SHA1

            7235402d08be134c24289c202b21437cfdee6a44

            SHA256

            9c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831

            SHA512

            afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869

          • C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe

            Filesize

            99KB

            MD5

            2f5964aefc23c144312263bcde6f4c29

            SHA1

            7235402d08be134c24289c202b21437cfdee6a44

            SHA256

            9c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831

            SHA512

            afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869

          • C:\Users\Admin\AppData\Local\Temp\xemuntcv.exe

            Filesize

            99KB

            MD5

            2f5964aefc23c144312263bcde6f4c29

            SHA1

            7235402d08be134c24289c202b21437cfdee6a44

            SHA256

            9c04fadd4b513f6d221d903e513bc6ce07b9a564db88cbce174db6d9e9a75831

            SHA512

            afe0a089537669cb1de2ab4ed9575665d9837e84cad5acceba5fc22adbc086b51cdadbab8348f940c6908179fc4509d6d0954cba459f9248ae00a9b708803869

          • memory/3780-144-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

          • memory/4384-148-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

          • memory/4920-138-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

          • memory/4920-143-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB