Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    10s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/01/2024, 09:59 UTC

General

  • Target

    02db6c6dd0119ae4dd092c95269ef0fa.exe

  • Size

    104KB

  • MD5

    02db6c6dd0119ae4dd092c95269ef0fa

  • SHA1

    0c847bd4af6ef9eb9da384374fb70117be59150d

  • SHA256

    1e835832f440f1a949ff14547bfe943013f5211e3d5ad80632048554861d70ee

  • SHA512

    b83eef9cd127287da84fc6682b2cf84a1e6961d961fc6b194150ccce15fbdf5dae273a584041d39ffbabb7a55a7e922e43e1be8e67c1dce782360fb31f9d966b

  • SSDEEP

    3072:lQ5faGko6CFrbJKARb0WQ9FSE1Fk8jwaaHw7Koj4rgdy:61afCF3IO0WmFR

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Program crash 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe
    "C:\Users\Admin\AppData\Local\Temp\02db6c6dd0119ae4dd092c95269ef0fa.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1952
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:4876
      • C:\Program Files (x86)\Internet Explorer\iexplore.exe
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3576
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:3156
        • C:\Program Files (x86)\Internet Explorer\iexplore.exe
          "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
          2⤵
            PID:4064
          • C:\Users\Admin\AppData\Local\Temp\jcauhppdosanovdb.exe
            "C:\Users\Admin\AppData\Local\Temp\jcauhppdosanovdb.exe"
            2⤵
              PID:2916
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4876 -ip 4876
            1⤵
              PID:548
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 208
              1⤵
              • Program crash
              PID:3276
            • C:\Program Files\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
              1⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4496
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17410 /prefetch:2
                2⤵
                  PID:668
                • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4496 CREDAT:17416 /prefetch:2
                  2⤵
                    PID:4352
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 204
                  1⤵
                  • Program crash
                  PID:4428
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3156 -ip 3156
                  1⤵
                    PID:1512
                  • C:\Program Files\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
                    1⤵
                      PID:4948

                    Network

                    • flag-us
                      DNS
                      2.136.104.51.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      2.136.104.51.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      17.160.190.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      17.160.190.20.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      g.bing.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      g.bing.com
                      IN A
                      Response
                      g.bing.com
                      IN CNAME
                      g-bing-com.a-0001.a-msedge.net
                      g-bing-com.a-0001.a-msedge.net
                      IN CNAME
                      dual-a-0001.a-msedge.net
                      dual-a-0001.a-msedge.net
                      IN A
                      204.79.197.200
                      dual-a-0001.a-msedge.net
                      IN A
                      13.107.21.200
                    • flag-us
                      GET
                      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
                      Remote address:
                      204.79.197.200:443
                      Request
                      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
                      host: g.bing.com
                      accept-encoding: gzip, deflate
                      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                      Response
                      HTTP/2.0 204
                      cache-control: no-cache, must-revalidate
                      pragma: no-cache
                      expires: Fri, 01 Jan 1990 00:00:00 GMT
                      set-cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868; domain=.bing.com; expires=Tue, 04-Feb-2025 01:59:15 GMT; path=/; SameSite=None; Secure; Priority=High;
                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                      access-control-allow-origin: *
                      x-cache: CONFIG_NOCACHE
                      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      x-msedge-ref: Ref A: F253C96DE41A4B22A77128C3C35B1FD7 Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
                      date: Thu, 11 Jan 2024 01:59:14 GMT
                    • flag-us
                      GET
                      https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
                      Remote address:
                      204.79.197.200:443
                      Request
                      GET /neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
                      host: g.bing.com
                      accept-encoding: gzip, deflate
                      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                      cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868
                      Response
                      HTTP/2.0 204
                      cache-control: no-cache, must-revalidate
                      pragma: no-cache
                      expires: Fri, 01 Jan 1990 00:00:00 GMT
                      set-cookie: MSPTC=-Krrj8KPtQfdkQi838fEqpfQvB-jsJOJhUtJQuKbfMU; domain=.bing.com; expires=Tue, 04-Feb-2025 01:59:15 GMT; path=/; Partitioned; secure; SameSite=None
                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                      access-control-allow-origin: *
                      x-cache: CONFIG_NOCACHE
                      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      x-msedge-ref: Ref A: 6CB4078784154FBA993797BACE30FD43 Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
                      date: Thu, 11 Jan 2024 01:59:14 GMT
                    • flag-us
                      GET
                      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
                      Remote address:
                      204.79.197.200:443
                      Request
                      GET /neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid= HTTP/2.0
                      host: g.bing.com
                      accept-encoding: gzip, deflate
                      user-agent: WindowsShellClient/9.0.40929.0 (Windows)
                      cookie: MUID=3A8DEC18E21069EA2F90F81BE3376868; MSPTC=-Krrj8KPtQfdkQi838fEqpfQvB-jsJOJhUtJQuKbfMU
                      Response
                      HTTP/2.0 204
                      cache-control: no-cache, must-revalidate
                      pragma: no-cache
                      expires: Fri, 01 Jan 1990 00:00:00 GMT
                      strict-transport-security: max-age=31536000; includeSubDomains; preload
                      access-control-allow-origin: *
                      x-cache: CONFIG_NOCACHE
                      accept-ch: Sec-CH-UA-Arch, Sec-CH-UA-Bitness, Sec-CH-UA-Full-Version, Sec-CH-UA-Full-Version-List, Sec-CH-UA-Mobile, Sec-CH-UA-Model, Sec-CH-UA-Platform, Sec-CH-UA-Platform-Version
                      x-msedge-ref: Ref A: 2F2EC2FA65594F23ACD28AB3315E5FBD Ref B: LON04EDGE0714 Ref C: 2024-01-11T01:59:15Z
                      date: Thu, 11 Jan 2024 01:59:14 GMT
                    • flag-us
                      DNS
                      240.221.184.93.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      240.221.184.93.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      200.197.79.204.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      200.197.79.204.in-addr.arpa
                      IN PTR
                      Response
                      200.197.79.204.in-addr.arpa
                      IN PTR
                      a-0001a-msedgenet
                    • flag-us
                      DNS
                      95.221.229.192.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      95.221.229.192.in-addr.arpa
                      IN PTR
                      Response
                    • flag-us
                      DNS
                      api.bing.com
                      Remote address:
                      8.8.8.8:53
                      Request
                      api.bing.com
                      IN A
                      Response
                      api.bing.com
                      IN CNAME
                      api-bing-com.e-0001.e-msedge.net
                      api-bing-com.e-0001.e-msedge.net
                      IN CNAME
                      e-0001.e-msedge.net
                      e-0001.e-msedge.net
                      IN A
                      13.107.5.80
                    • flag-us
                      DNS
                      55.36.223.20.in-addr.arpa
                      Remote address:
                      8.8.8.8:53
                      Request
                      55.36.223.20.in-addr.arpa
                      IN PTR
                      Response
                    • 204.79.197.200:443
                      https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=
                      tls, http2
                      2.5kB
                      9.4kB
                      24
                      18

                      HTTP Request

                      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

                      HTTP Response

                      204

                      HTTP Request

                      GET https://g.bing.com/neg/0?action=emptycreative&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

                      HTTP Response

                      204

                      HTTP Request

                      GET https://g.bing.com/neg/0?action=emptycreativeimpression&adUnitId=11730597&publisherId=251978541&rid=b9118427245846be9a9ee6e7a90ce70f&localId=w:74019202-808B-909D-A3F8-27A805F8E594&deviceId=6825827065235624&anid=

                      HTTP Response

                      204
                    • 88.221.135.217:80
                      8.1kB
                      219.5kB
                      129
                      161
                    • 20.103.156.88:443
                      tls
                      501 B
                      318 B
                      5
                      4
                    • 20.103.156.88:443
                      tls, https
                      165 B
                      1
                    • 88.221.135.217:80
                      52 B
                      52 B
                      1
                      1
                    • 20.103.156.88:443
                      tls, https
                      888 B
                      1
                    • 88.221.135.217:80
                      52 B
                      1.3kB
                      1
                      2
                    • 204.79.197.200:443
                      g.bing.com
                      576 B
                      16.8kB
                      12
                      12
                    • 88.221.135.217:80
                      952 B
                      17.7kB
                      15
                      14
                    • 8.8.8.8:53
                      2.136.104.51.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      2.136.104.51.in-addr.arpa

                    • 8.8.8.8:53
                      17.160.190.20.in-addr.arpa
                      dns
                      72 B
                      158 B
                      1
                      1

                      DNS Request

                      17.160.190.20.in-addr.arpa

                    • 8.8.8.8:53
                      g.bing.com
                      dns
                      56 B
                      158 B
                      1
                      1

                      DNS Request

                      g.bing.com

                      DNS Response

                      204.79.197.200
                      13.107.21.200

                    • 8.8.8.8:53
                      240.221.184.93.in-addr.arpa
                      dns
                      73 B
                      144 B
                      1
                      1

                      DNS Request

                      240.221.184.93.in-addr.arpa

                    • 8.8.8.8:53
                      200.197.79.204.in-addr.arpa
                      dns
                      73 B
                      106 B
                      1
                      1

                      DNS Request

                      200.197.79.204.in-addr.arpa

                    • 8.8.8.8:53
                      95.221.229.192.in-addr.arpa
                      dns
                      73 B
                      144 B
                      1
                      1

                      DNS Request

                      95.221.229.192.in-addr.arpa

                    • 8.8.8.8:53
                      api.bing.com
                      dns
                      58 B
                      134 B
                      1
                      1

                      DNS Request

                      api.bing.com

                      DNS Response

                      13.107.5.80

                    • 8.8.8.8:53
                      55.36.223.20.in-addr.arpa
                      dns
                      71 B
                      157 B
                      1
                      1

                      DNS Request

                      55.36.223.20.in-addr.arpa

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/1952-2-0x00000000009F0000-0x00000000009F2000-memory.dmp

                      Filesize

                      8KB

                    • memory/1952-17-0x0000000077092000-0x0000000077093000-memory.dmp

                      Filesize

                      4KB

                    • memory/1952-16-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/1952-7-0x0000000077092000-0x0000000077093000-memory.dmp

                      Filesize

                      4KB

                    • memory/1952-5-0x0000000000A10000-0x0000000000A11000-memory.dmp

                      Filesize

                      4KB

                    • memory/1952-4-0x0000000000A00000-0x0000000000A01000-memory.dmp

                      Filesize

                      4KB

                    • memory/1952-0-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/1952-10-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/1952-1-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/1952-14-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/2916-34-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/2916-32-0x0000000002060000-0x0000000002062000-memory.dmp

                      Filesize

                      8KB

                    • memory/2916-30-0x0000000000400000-0x0000000000439CD4-memory.dmp

                      Filesize

                      231KB

                    • memory/4876-9-0x00000000007D0000-0x00000000007D1000-memory.dmp

                      Filesize

                      4KB

                    • memory/4876-8-0x00000000007F0000-0x00000000007F1000-memory.dmp

                      Filesize

                      4KB

                    We care about your privacy.

                    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.