Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2024, 09:30

General

  • Target

    380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll

  • Size

    353KB

  • MD5

    c04f67210a558c26d0132036cb2d0c25

  • SHA1

    5896f685f25d4908826960d5dd3e0e82ce2e00c1

  • SHA256

    380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc

  • SHA512

    825857f3e8020003cd6bf2acac6be61e3174be77ed9aeea77f8cfb6e277d601abdb575f84fac5df3683d225df9902e048a05c10254519170bf811e5917d9b2cd

  • SSDEEP

    6144:O1HCQc7/p7NthksJroUcdp1bw/uu+eLDXfbrTrzDIPS0iYrp1Hfmn1T:O1HCQOTthksJroUmp1bw/5DXfbzz0PSn

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1724
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\380232c4d78e4c015ab8469ff62c8f2d4d44f2ebbc3aca0baf26d785402d87dc.dll,#1
      2⤵
      • Drops file in System32 directory
      • Suspicious use of WriteProcessMemory
      PID:3556
      • C:\Windows\SysWOW64\rundll32Srv.exe
        C:\Windows\SysWOW64\rundll32Srv.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1272
        • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
          "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4620
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1952
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1952 CREDAT:17410 /prefetch:2
              6⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:3740
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 632
        3⤵
        • Program crash
        PID:1284
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3556 -ip 3556
    1⤵
      PID:3876

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\1FEO3GJB\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • C:\Windows\SysWOW64\rundll32Srv.exe

      Filesize

      55KB

      MD5

      42bacbdf56184c2fa5fe6770857e2c2d

      SHA1

      521a63ee9ce2f615eda692c382b16fc1b1d57cac

      SHA256

      d1a57e19ddb9892e423248cc8ff0c4b1211d22e1ccad6111fcac218290f246f0

      SHA512

      0ab916dd15278e51bccfd2ccedd80d942b0bddb9544cec3f73120780d4f7234ff7456530e1465caf3846616821d1b385b6ae58a5dff9ffe4d622902c24fd4b71

    • memory/1272-4-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1272-7-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/1272-5-0x0000000000550000-0x000000000055F000-memory.dmp

      Filesize

      60KB

    • memory/3556-19-0x0000000010000000-0x000000001005E000-memory.dmp

      Filesize

      376KB

    • memory/3556-1-0x0000000010000000-0x000000001005E000-memory.dmp

      Filesize

      376KB

    • memory/4620-16-0x0000000077EC2000-0x0000000077EC3000-memory.dmp

      Filesize

      4KB

    • memory/4620-14-0x0000000000670000-0x0000000000671000-memory.dmp

      Filesize

      4KB

    • memory/4620-17-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4620-18-0x0000000000660000-0x000000000066F000-memory.dmp

      Filesize

      60KB

    • memory/4620-15-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

    • memory/4620-12-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB