Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    130s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2022, 02:22

General

  • Target

    4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll

  • Size

    440KB

  • MD5

    c50fd275bcad485892e77bba221364a0

  • SHA1

    0f8f4f0e65f87e075c4a19ec1bb861b031281655

  • SHA256

    4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e

  • SHA512

    0816a58f9ff4dba5db4170beda99fa8e9eaaeb9b0000fe8f54169c948bccfb5678de9ce0dba8e60013efbbd278b4fb1dc53bbc6f641829330b48de52e3d734b6

  • SSDEEP

    6144:DhwcskkkkknffCp5CrRKlua3Bo3EWSUxiQibG69VillCE:1wqqPo3NSJbG69VICE

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 53 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1336
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\4d31683885a02e544a2081c2a2b32654b32e906481557c3d9a03f4201e5a661e.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:1176
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2040
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1732 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:680
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:576

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2181A711-7636-11ED-A6C3-FE72C9E2D9C9}.dat

    Filesize

    5KB

    MD5

    cc9db46038673568a28a8e28bdd76eca

    SHA1

    f316593eb936f24393f860e4ae2abdab107e4f15

    SHA256

    323dbe95e1b3e2d86d683d7582f468fb6dc1eb2bb661f9fee0ba85777404815f

    SHA512

    56b6b9146c86c3575289e74bfdd72ff38eb06cc89f0ead5a18c9596688cadc7cda7a4d666c1cd0001c3fe2e4a2e2807b04dc4b08d00c101353cb4329721226d4

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{21850271-7636-11ED-A6C3-FE72C9E2D9C9}.dat

    Filesize

    3KB

    MD5

    a52a9ceecc7fd9573d23a0719734f8ae

    SHA1

    d19902afcdb48a99565a2e35e2042f320f044f59

    SHA256

    0b2d1e364b09d8717a62098c9753609981e02d782bf5310a3fb904e1cae66125

    SHA512

    793f5e4deb5e13cc54e617bcc905e2625e7a0f3232d304e6d434ea73355633384d55df9ed53724e5eb5a791d8c92bc3c136fb72d8afcdf42d4862fb3a86a6218

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CBKERS4V.txt

    Filesize

    603B

    MD5

    8a6d85e7aaa46acbc6c3b0ead112ceb4

    SHA1

    8c4fbd436ba591dee0bcfea0b441cec391ffbf67

    SHA256

    7436fe58089c1b855672929de8c733d33281cfbb62478956c26b0497c9c0c518

    SHA512

    e5363f8d8aa561935363f1da75cf771cac5c07c2276cce21d1f44c305a6b373ac5071873be1490a14dc32bb25ec06e05d24eea360427b00a03e0e4b97754a5d6

  • C:\Windows\SysWOW64\rundll32mgr.exe

    Filesize

    153KB

    MD5

    6c6400ba9cf5a1d34fbbb3e2fe57ce3f

    SHA1

    a6f8636c626b47354407aae3ec592ba8a6ad57ef

    SHA256

    c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

    SHA512

    9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    153KB

    MD5

    6c6400ba9cf5a1d34fbbb3e2fe57ce3f

    SHA1

    a6f8636c626b47354407aae3ec592ba8a6ad57ef

    SHA256

    c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

    SHA512

    9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

  • \Windows\SysWOW64\rundll32mgr.exe

    Filesize

    153KB

    MD5

    6c6400ba9cf5a1d34fbbb3e2fe57ce3f

    SHA1

    a6f8636c626b47354407aae3ec592ba8a6ad57ef

    SHA256

    c33f882e364f65322678d03dbbf00efea35be735c9fdaa74e79f1c3d04191b3a

    SHA512

    9760704bf0fb51f1da47db1c127d4b312971764866796cbe1fb2989328170bd91e6258f90d1dc3e766cbd61f877cb3b37fd8c30f62dccafd4f1b822bc8255343

  • memory/1176-62-0x0000000010000000-0x000000001006F000-memory.dmp

    Filesize

    444KB

  • memory/1176-63-0x00000000002A0000-0x0000000000302000-memory.dmp

    Filesize

    392KB

  • memory/1176-55-0x00000000762D1000-0x00000000762D3000-memory.dmp

    Filesize

    8KB

  • memory/2040-64-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB

  • memory/2040-65-0x0000000000400000-0x0000000000462000-memory.dmp

    Filesize

    392KB