Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

e2f02a20ec...18.dll

windows7-x64

10

e2f02a20ec...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/12/2024, 19:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2f02a20ec56eef85cd857502f7c4606_JaffaCakes118.dll

  • Size

    460KB

  • MD5

    e2f02a20ec56eef85cd857502f7c4606

  • SHA1

    9e95aa94451b0209716580d37f08d557befd0c19

  • SHA256

    a22c5fcc9b2138f9a49ea73ac52678e9ad3edd4b92702b87cea992d005b40dbe

  • SHA512

    c47acf9d65334a08efb1c32f69be1b3bb1eb7de020748cacff487b049b9e42615ab1c1d027d2b7323f139f8563ada78f2d656f8f8a58c783dcf8e0c0af83fd60

  • SSDEEP

    6144:5/gxI5p8RC6JL0OFLm1I7AV4COHEQeewQeelQeesQeeudQeefQeeZKwQBIoqhvJc:GxI5QLM1aw4CIoqhKWy50tSd

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\regsvr32.exe
    regsvr32 /s C:\Users\Admin\AppData\Local\Temp\e2f02a20ec56eef85cd857502f7c4606_JaffaCakes118.dll
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\SysWOW64\regsvr32.exe
      /s C:\Users\Admin\AppData\Local\Temp\e2f02a20ec56eef85cd857502f7c4606_JaffaCakes118.dll
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3696
      • C:\Windows\SysWOW64\regsvr32mgr.exe
        C:\Windows\SysWOW64\regsvr32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4440
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4824
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:376
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 204
                6⤵
                • Program crash
                PID:4028
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2356
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2356 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3992
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              PID:4460
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 376 -ip 376
      1⤵
        PID:3056

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        471B

        MD5

        030d28178ec890f0d933359dad23da1e

        SHA1

        5fa5195ca05aea5caaf471afbcc2fd039876f3c4

        SHA256

        1e40a11d7943a7924cacca9632fa6dd8bd24fb1072cb61e64f9033ebce74806b

        SHA512

        0a4d2a2dc387cda5c4a2545d416aa40eaccc7f0176861c2862c0a792970282189548309263d0937913a9e8be8105074a8d7129b87e277db68a0efbc57f3030e6

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
        Filesize

        404B

        MD5

        69809f9a0ebabd94b5f7048e6c86d900

        SHA1

        60c5fc77f4f8ef64bcdf9287c288d9c2442690a9

        SHA256

        8e2a91b97a0cf592cb1c556b4fb97fa87115c4d3f23f6f729c1906cc74415e65

        SHA512

        6576ec4f01b4c31bb6a1b2d5513532a68a8e64124d6b669832875c32cd4679cf8f92181dbba23ba3e5e48975b2ff848ecaf8cb06895d7839be5e6c691b82a79a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\XH3Z2ZON\suggestions[1].en-US
        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        Download Submit

      • C:\Windows\SysWOW64\regsvr32mgr.exe
        Filesize

        119KB

        MD5

        9d5d609dc8e2554054733d19eed45c5c

        SHA1

        ce72453fca9f477940a9def32bd8463549c6e1e4

        SHA256

        7a85b3db04beb0c4b6a8929fdf79726bcf1084efab0a9f04a8ebaa0a2bc9e0b1

        SHA512

        012cabde17ed1c1d1a48b5bc136591ff9c8e261e5da8bc7f67d0bd235a32150f63274362cdeef2376d2d5a38dfb0c9acc7cd3aa5244c1858b88b183f8cbe550b

        Download Submit

      • memory/376-33-0x00000000006F0000-0x00000000006F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/376-34-0x00000000006D0000-0x00000000006D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3696-0-0x0000000007430000-0x00000000074A3000-memory.dmp

        Filesize

        460KB

        Download

      • memory/4440-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4440-6-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4440-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4440-5-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4440-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4440-10-0x00000000008B0000-0x00000000008B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4440-12-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4440-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4440-7-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4824-30-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4824-35-0x0000000077EB2000-0x0000000077EB3000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4824-38-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4824-37-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download

      • memory/4824-36-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4824-39-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4824-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4824-28-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4824-29-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

        Download

      • memory/4824-21-0x0000000000400000-0x0000000000429000-memory.dmp

        Filesize

        164KB

        Download