Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

12af93d290...9d.dll

windows7-x64

10

12af93d290...9d.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 13:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d.dll

  • Size

    256KB

  • MD5

    5129a643720990da5ac6f1d0d7bd4181

  • SHA1

    57cd9af7745ee0e4b68124bbb8851964d1653cd0

  • SHA256

    12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d

  • SHA512

    9553055fa78c86fd7e51f3bc1454bd7b9aa59a0dc4a25a8e660fbd7a62861b7ca066b52f4d67980e06b487c30695f8a4a9deecbed6a17bb8d664d81bec05bfcb

  • SSDEEP

    3072:54vRJRkTcZ7fcxdl5CTqBoEBClwrnfJMtZbzOPrLRiwte9I1yi5fEB1msmU580Xs:5OHngrYuyRmsm28KJ0I7

Score
10/10
ramnitbankerevasionspywarestealertrojanupxworm

Malware Config

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Modifies security service 2 TTPs 3 IoCs
    evasion
  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Executes dropped EXE 6 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 6 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4512
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\12af93d29007b28f8e5cd5db210de0b91e0e84ca318893a79d0efc11f813fb9d.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
        "rvtql1X1e"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3208
        • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
          "rvtql1X1e"
          4⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4420
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:4904
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 204
                6⤵
                • Program crash
                PID:3356
            • C:\Program Files (x86)\Internet Explorer\iexplore.exe
              "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1648
              • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                6⤵
                • Modifies Internet Explorer settings
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4296
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4296 CREDAT:17410 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:1688
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4296 CREDAT:82950 /prefetch:2
                  7⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of SetWindowsHookEx
                  PID:4360
            • C:\Windows\SysWOW64\svchost.exe
              C:\Windows\system32\svchost.exe
              5⤵
                PID:3888
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 204
                  6⤵
                  • Program crash
                  PID:3076
              • C:\Program Files (x86)\Internet Explorer\iexplore.exe
                "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1956
                • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                  6⤵
                  • Modifies Internet Explorer settings
                  PID:3316
              • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
                "C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe" elevate
                5⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1376
                • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
                  "C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe" elevate
                  6⤵
                  • Executes dropped EXE
                  • Checks computer location settings
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:2028
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe"" admin
                    7⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1272
                    • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
                      "C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe" admin
                      8⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      • Suspicious use of SetWindowsHookEx
                      PID:2588
                      • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
                        "C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe" admin
                        9⤵
                        • Modifies firewall policy service
                        • Modifies security service
                        • UAC bypass
                        • Windows security bypass
                        • Executes dropped EXE
                        • Windows security modification
                        • Checks whether UAC is enabled
                        • Suspicious use of AdjustPrivilegeToken
                        • System policy modification
                        PID:2100
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4904 -ip 4904
        1⤵
          PID:4852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3888 -ip 3888
          1⤵
            PID:3044

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            2e02780939de763a8bb3e91dfbf21980

            SHA1

            47e818dcbc1d307b43654dfe3a03b9a7625d9ce4

            SHA256

            971abb405a443302f8c61627933bd0f46ed6953f5815e298974e6f7532908748

            SHA512

            51709ae31e885719d848f619c4b3e732b0765a5349484f7c4ca524072a6b0d75f33d3f6c015a0ed4fd188a43d5cc9e0d221d1d7cca5a31a044b73fcbcebbe5fd

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            434B

            MD5

            7d1f39a6832eaccb774a7bd1746cac96

            SHA1

            39ce69465c7d588490a2bb02357ba952b0fe0c1e

            SHA256

            8449e6e472e5324c47040895fc4aa4cfc884ab08344e8ddcb9732871495e18a1

            SHA512

            699a64000cf0c2d9791b34c3d8dce264825b915fa5be32099de5ba2201165ec379989979670877c8662950354e70316704287b32ce8b307be53c5bdcc560d09d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\rvtql1X1e
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\yuhdkxje.exe
            Filesize

            99KB

            MD5

            33ace2a98e6aa56dbd6f1ae58a9af9ae

            SHA1

            67de6edab77318d997f002c9884dd08069612570

            SHA256

            8bf10012bf59dbc3f6509bbf1dc12490779fc5962aa37fcebbcc434e2612371c

            SHA512

            ea77d71297f7ef842f0c1c7b6f8eb53f8d6d3f223d4f5d2bb4214102601a1197f038a1339d5245ed87671947e90910b78cbe7081d05c0e5cedd55b0726e362f5

            Download Submit

          • memory/1376-167-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/1376-165-0x0000000000030000-0x0000000000033000-memory.dmp

            Filesize

            12KB

            Download

          • memory/1376-157-0x000000006FC40000-0x000000006FD9D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/2028-168-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2100-184-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/2588-182-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2588-175-0x0000000000020000-0x0000000000023000-memory.dmp

            Filesize

            12KB

            Download

          • memory/2588-174-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2588-172-0x0000000070180000-0x00000000702DD000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/3208-144-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/3208-136-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/3208-137-0x0000000000030000-0x0000000000033000-memory.dmp

            Filesize

            12KB

            Download

          • memory/3208-138-0x0000000074C20000-0x0000000074D7D000-memory.dmp

            Filesize

            1.4MB

            Download

          • memory/4420-150-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4420-156-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4420-142-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4420-146-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download

          • memory/4420-147-0x0000000000400000-0x0000000000436000-memory.dmp

            Filesize

            216KB

            Download