Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

0e11246d31...4e.exe

windows7-x64

8

0e11246d31...4e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/12/2022, 02:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe

  • Size

    1.3MB

  • MD5

    2ad2fbe4509e650c839ea7bc1f6fdd14

  • SHA1

    e654cd67c50a97267b2bf2eec66f643a28e60d68

  • SHA256

    0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e

  • SHA512

    6ff772151351d244fe4d054e17f9fcde4f6899aedfe7f80ee1994e21db87dba2c53abfb12bcf878414745c689b2a5180ea0a972d816a348bbf1c67b0e0baca4e

  • SSDEEP

    12288:KqOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+XQgAQ0hKJieRHL3:KnajQEPnvg6PhWDC750XgKJ3r3

Score
10/10
ramnitbankerspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Executes dropped EXE 3 IoCs
  • UPX packed file 16 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of UnmapMainImage 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe
    "C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4e.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2328
    • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
      C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:3216
      • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe
        C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4900
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4376
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2284
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 204
                6⤵
                • Program crash
                PID:4796
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3508
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3508 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:5060
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4776
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4776 CREDAT:17410 /prefetch:2
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4664
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2328 -s 1400
        2⤵
        • Program crash
        PID:3212
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2284 -ip 2284
      1⤵
        PID:1828
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 2328 -ip 2328
        1⤵
          PID:1788

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          92KB

          MD5

          87a19429b56f78cc468cda78eee027fa

          SHA1

          0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

          SHA256

          5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

          SHA512

          02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

          Download Submit

        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          Filesize

          92KB

          MD5

          87a19429b56f78cc468cda78eee027fa

          SHA1

          0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

          SHA256

          5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

          SHA512

          02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          a62e66dbd157955d60808bf89987bcde

          SHA1

          a97e8478902ac7db7fd904300304944a41afee8e

          SHA256

          d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

          SHA512

          2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          a62e66dbd157955d60808bf89987bcde

          SHA1

          a97e8478902ac7db7fd904300304944a41afee8e

          SHA256

          d34e72ae586b00a60e3526f1e75677dcffa83fd33860a771ae592e7d8320cf25

          SHA512

          2c969c621bd5881acf47e85b3a2977b1c43dfa80887f0ab447327162d143795ff647b8ed1aec174a868c0faf1e09eb8baa6a67ea42764b65fe4416d2168e81fc

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          c8260b7189880deb6fec17859da651e2

          SHA1

          6f0e751309db8e8f4ec4182a27aa833410055afc

          SHA256

          424c745af5a5b0b79eff17c43239ce2d6944e18641712b253f689112dfd17d95

          SHA512

          a621797d7f6f3257d4f4a4269ba335138607fc9b1003e64bf857a69fcb50cb5d0fdc2106bc575ba9951f0546b1175b6eaa2b87aa660cc91a76f4940fe05fc5e9

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          434B

          MD5

          7ef747c97b22be6f5667ff3c10fb6b86

          SHA1

          aa84cbe0bff36583e228e1036919ef3f61523f60

          SHA256

          0fcb8097f283e8ba49752fb310cdedf6b83a72eee2d5b056c1665c69a649aded

          SHA512

          4291147071edda2e82e246104dfd3708c2e7473a322229ad2dc6399ce33549c3f8d2713ab66e3ba4cfcd147d23a0eced031b678ce18b782fafd8c184dda457f9

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E64C0DF8-7631-11ED-AECB-DEF0885D2AEB}.dat
          Filesize

          5KB

          MD5

          93db28b7e136f7b9caabb0a45d411b85

          SHA1

          268ec449be5e7375db77fcc31263aca6ab8f682e

          SHA256

          e5cf306bc43086eb82735799c6a7ba0f0bf65616c06ce5a51acb9fe4d1878285

          SHA512

          13b2509330fcbcd692d51db0c3be31e50fdc4d6ada8835b0417f6a558d400c1e3d283fed1d4f7b97c38f73d8dfb9371a89bfa10c2a76461ba888f5a1354e14a3

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E64C3508-7631-11ED-AECB-DEF0885D2AEB}.dat
          Filesize

          3KB

          MD5

          23866f202d233c777160e75110c60154

          SHA1

          e0566a0ba0000d63636e5a788069bde8a18bbf2a

          SHA256

          5e79fc401c4aac130efdce7034ba9edbbf9f8ba22aa12916ba4aa81757f67f36

          SHA512

          8d7e82b5c9c5eeb0e05dc04432675c4f7c0d788f9d6aa002fe1aeb2bb632f6f7487eb63e4aaadad5255e23203f937f278fd05f5c6c3e91b834426362c93e311f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
          Filesize

          186KB

          MD5

          c9a80e0152f8800a9104b1c41798052d

          SHA1

          efbdbc43669758e3fec21034ab8f0732bf3d9305

          SHA256

          3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

          SHA512

          730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgr.exe
          Filesize

          186KB

          MD5

          c9a80e0152f8800a9104b1c41798052d

          SHA1

          efbdbc43669758e3fec21034ab8f0732bf3d9305

          SHA256

          3d2231a54e603fdee4e303362dbd620faaed1114cd1d53a69cc4b60577260aa9

          SHA512

          730c129608c7d558a121594a3a60381d787ea940145300e7317873fc3eb7d1af1f56047c5d6d7f5754dd573bfd70fb75e60d2c9b1727837d3f1a40b128a05f73

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe
          Filesize

          92KB

          MD5

          87a19429b56f78cc468cda78eee027fa

          SHA1

          0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

          SHA256

          5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

          SHA512

          02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\0e11246d31399e037d4e8c0b168419b09084d3b815f069c8b6a2947900f48d4emgrmgr.exe
          Filesize

          92KB

          MD5

          87a19429b56f78cc468cda78eee027fa

          SHA1

          0a8fe8b6d49de7e06e8e4572f37f99a8e7f743c5

          SHA256

          5e82ee2fa73afdf8b7f54a3c6ea8853f09f3d1cb4a0ab76fa05306d417c09a50

          SHA512

          02568501e46edc8de1716ac165f1ac88e34b125eb9559e7a0792328b6bb43cf5f4aa2bf8b78263bf429eb220ad804713188de7f7ab95d436d4638a60b23f4976

          Download Submit

        • memory/2328-132-0x0000000000400000-0x000000000054E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/2328-174-0x0000000000400000-0x000000000054E000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/3216-152-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/3216-149-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/3216-146-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/3216-139-0x0000000000400000-0x00000000004C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/4376-170-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-173-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4376-166-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-165-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-163-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-169-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-164-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-172-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4376-171-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4900-155-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4900-151-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4900-147-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

          Download

        • memory/4900-143-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download

        • memory/4900-140-0x0000000000400000-0x00000000004AF000-memory.dmp

          Filesize

          700KB

          Download