Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 01:55

General

  • Target

    c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll

  • Size

    472KB

  • MD5

    eeaac30a1688f59236aa5127644d6cc0

  • SHA1

    61008c2b82ea846993d526daa0e85981b0583239

  • SHA256

    c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966

  • SHA512

    21ae16d90248bcd8a94a4953661b86346c9daaaf63e71afbbd6bc600e040630bedca40620e9449b423f7c72e6fa52ae69fd0156109a985991b62b54dbd3c1bcb

  • SSDEEP

    12288:jehnaNPpSVZmNxRCwnwm3W3OHIIf53VO:jeh0PpS6NxNnwYeOHXD

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 4 IoCs
  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\lsass.exe
    C:\Windows\system32\lsass.exe
    1⤵
      PID:480
    • C:\Windows\system32\services.exe
      C:\Windows\system32\services.exe
      1⤵
        PID:472
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k RPCSS
          2⤵
            PID:656
          • C:\Windows\System32\svchost.exe
            C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
            2⤵
              PID:800
              • C:\Windows\system32\Dwm.exe
                "C:\Windows\system32\Dwm.exe"
                3⤵
                  PID:1200
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k NetworkService
                2⤵
                  PID:276
                • C:\Windows\system32\taskhost.exe
                  "taskhost.exe"
                  2⤵
                    PID:1112
                  • C:\Windows\system32\sppsvc.exe
                    C:\Windows\system32\sppsvc.exe
                    2⤵
                      PID:304
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
                      2⤵
                        PID:1016
                      • C:\Windows\system32\svchost.exe
                        C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
                        2⤵
                          PID:1032
                        • C:\Windows\System32\spoolsv.exe
                          C:\Windows\System32\spoolsv.exe
                          2⤵
                            PID:328
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k netsvcs
                            2⤵
                              PID:864
                            • C:\Windows\system32\svchost.exe
                              C:\Windows\system32\svchost.exe -k LocalService
                              2⤵
                                PID:836
                              • C:\Windows\System32\svchost.exe
                                C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
                                2⤵
                                  PID:736
                                • C:\Windows\system32\svchost.exe
                                  C:\Windows\system32\svchost.exe -k DcomLaunch
                                  2⤵
                                    PID:576
                                • C:\Windows\system32\winlogon.exe
                                  winlogon.exe
                                  1⤵
                                    PID:420
                                  • C:\Windows\system32\lsm.exe
                                    C:\Windows\system32\lsm.exe
                                    1⤵
                                      PID:488
                                    • C:\Windows\system32\wbem\wmiprvse.exe
                                      C:\Windows\system32\wbem\wmiprvse.exe
                                      1⤵
                                        PID:1976
                                      • \\?\C:\Windows\system32\wbem\WMIADAP.EXE
                                        wmiadap.exe /F /T /R
                                        1⤵
                                          PID:1716
                                        • C:\Windows\Explorer.EXE
                                          C:\Windows\Explorer.EXE
                                          1⤵
                                            PID:1248
                                            • C:\Windows\system32\rundll32.exe
                                              rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll,#1
                                              2⤵
                                              • Suspicious use of WriteProcessMemory
                                              PID:1320
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                rundll32.exe C:\Users\Admin\AppData\Local\Temp\c7ef1385ab7d9cfbdae403a28ca14a6abda5cf218837e4d04247b642151ed966.dll,#1
                                                3⤵
                                                • Loads dropped DLL
                                                • Drops file in System32 directory
                                                • Suspicious use of AdjustPrivilegeToken
                                                • Suspicious use of WriteProcessMemory
                                                PID:1652
                                                • C:\Windows\SysWOW64\rundll32Srv.exe
                                                  C:\Windows\SysWOW64\rundll32Srv.exe
                                                  4⤵
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  • Drops file in Program Files directory
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:2040
                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe
                                                    "C:\Program Files (x86)\Microsoft\WaterMark.exe"
                                                    5⤵
                                                    • Executes dropped EXE
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    • Suspicious use of WriteProcessMemory
                                                    PID:436
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      6⤵
                                                      • Modifies WinLogon for persistence
                                                      • Drops file in System32 directory
                                                      • Drops file in Program Files directory
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      PID:2036
                                                    • C:\Windows\SysWOW64\svchost.exe
                                                      C:\Windows\system32\svchost.exe
                                                      6⤵
                                                      • Suspicious behavior: EnumeratesProcesses
                                                      • Suspicious use of AdjustPrivilegeToken
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1680
                                                • C:\Windows\SysWOW64\WerFault.exe
                                                  C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 228
                                                  4⤵
                                                  • Program crash
                                                  • Suspicious behavior: GetForegroundWindowSpam
                                                  • Suspicious use of AdjustPrivilegeToken
                                                  PID:1188
                                          • C:\Windows\system32\csrss.exe
                                            %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                            1⤵
                                              PID:384
                                            • C:\Windows\system32\wininit.exe
                                              wininit.exe
                                              1⤵
                                                PID:368
                                              • C:\Windows\system32\csrss.exe
                                                %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
                                                1⤵
                                                  PID:332
                                                • C:\Windows\System32\smss.exe
                                                  \SystemRoot\System32\smss.exe
                                                  1⤵
                                                    PID:260

                                                  Network

                                                  MITRE ATT&CK Enterprise v6

                                                  Replay Monitor

                                                  Loading Replay Monitor...

                                                  Downloads

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • C:\Program Files (x86)\Microsoft\WaterMark.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • C:\Windows\SysWOW64\rundll32Srv.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • C:\Windows\SysWOW64\rundll32Srv.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • \Program Files (x86)\Microsoft\WaterMark.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • \Windows\SysWOW64\rundll32Srv.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • \Windows\SysWOW64\rundll32Srv.exe

                                                    Filesize

                                                    90KB

                                                    MD5

                                                    dba1231fa077c41836df91398093d5a8

                                                    SHA1

                                                    9bd1adff712907f1cbff38194e7229af5d9b2938

                                                    SHA256

                                                    10576d998ccc0c450ac3bb8199eda18f5dd01336101eb1cfe357f33b520b5f0a

                                                    SHA512

                                                    ec8f9d266a926010b94cb244e2ef90704a1209cafa18d80af9637fa81d56a929aa2a9d4ebbdd1b86a1d9cf632ddbd0f0f86e5894aa8248784518f2153e509a1f

                                                  • memory/436-215-0x0000000000400000-0x000000000045A000-memory.dmp

                                                    Filesize

                                                    360KB

                                                  • memory/436-80-0x0000000000400000-0x000000000045A000-memory.dmp

                                                    Filesize

                                                    360KB

                                                  • memory/1652-61-0x0000000010000000-0x0000000010078000-memory.dmp

                                                    Filesize

                                                    480KB

                                                  • memory/1652-214-0x0000000000170000-0x00000000001CA000-memory.dmp

                                                    Filesize

                                                    360KB

                                                  • memory/1652-64-0x0000000000170000-0x00000000001CA000-memory.dmp

                                                    Filesize

                                                    360KB

                                                  • memory/1652-62-0x0000000000170000-0x00000000001CA000-memory.dmp

                                                    Filesize

                                                    360KB

                                                  • memory/1652-216-0x0000000010000000-0x0000000010078000-memory.dmp

                                                    Filesize

                                                    480KB

                                                  • memory/1652-55-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

                                                    Filesize

                                                    8KB

                                                  • memory/1680-83-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                  • memory/1680-86-0x0000000020010000-0x000000002001B000-memory.dmp

                                                    Filesize

                                                    44KB

                                                  • memory/2036-81-0x0000000020010000-0x0000000020021000-memory.dmp

                                                    Filesize

                                                    68KB

                                                  • memory/2036-76-0x0000000020010000-0x0000000020021000-memory.dmp

                                                    Filesize

                                                    68KB

                                                  • memory/2036-72-0x0000000020010000-0x0000000020021000-memory.dmp

                                                    Filesize

                                                    68KB

                                                  • memory/2040-65-0x0000000000400000-0x000000000045A000-memory.dmp

                                                    Filesize

                                                    360KB