Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 05:11

General

  • Target

    badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll

  • Size

    1.2MB

  • MD5

    a3b4fca3c9909a13d22aaabc72e62390

  • SHA1

    3bd9776dba676d1fa7ea5f5df336293cabea9870

  • SHA256

    badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7df

  • SHA512

    ad9022e6a379b3faaa7d4f427cf121e2979607596ad7ce41d4329750a3e3705fee6f3cd0909d17ccedcf4a26a9220448d151d27710943f2561bc9da388b849a1

  • SSDEEP

    12288:v9g8GZHpzAac5naAd25L5O+FQ7lW8lZ60ICPxaf6og38BfSH6gqrandxT+is3pjD:v68+O6pvbt/wuzTB2OF8gnf

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\badd24bd6383a7e823ec812a704a983dbd255c0ec969a2be228b24c27f0ac7dfN.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:1952
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:4912
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:3580
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 3580 -s 204
                6⤵
                • Program crash
                PID:452
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3704
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3704 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:5096
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3340
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3340 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:1888
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 344 -s 612
          3⤵
          • Program crash
          PID:4684
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 344 -ip 344
      1⤵
        PID:4464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3580 -ip 3580
        1⤵
          PID:4940

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          471B

          MD5

          73d8dd7eaa8896905e31f1960f51ece1

          SHA1

          164e031603e75d95091220c5ff0d695547f6d3ae

          SHA256

          9ff75ab638fe252bd0d04aea3f0ce38270ffc8df5db9399f9ea45aaef196dddc

          SHA512

          4879585482992d7ea3ee02775b74592b06daab32a63dc7700dd4da40c45a524f3bcfc2beff928a85563f09ad0438be5b3e458bc3d0cd08ad146d416fec014a04

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          671dec4e4c30642df0207309ab3a31c3

          SHA1

          998e19128fd6314b2d4112bafc5b6d3b8f52523b

          SHA256

          4262d72b1ee04962804e4c96fb4274a5011051fbcd564a78f49478b9cc0bb148

          SHA512

          99639a350c5d87f8ac324dd5de9266c8be74435c2c203c684ec42505f23de4b7d951d0602b5b77bb9adafedd47ad6016ed5a2a6547715767089113e0d741d6ac

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

          Filesize

          404B

          MD5

          4dc0cab25b7c34be2104d35e65720629

          SHA1

          9dc089e8c5ae0d772c15c78a845af3ca19c76f33

          SHA256

          2701e239212c24091da19f6a4c670167f377a2ff776ac7a6d6924a245f645fa4

          SHA512

          14800229d9f241122bc5de699d245b96469126a574bbe5c2aa8e826a64505f2b68abc24652528731c127c77e7f9380862f7b1b726815736ccde695490455ddca

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA8C899A-C347-11EF-B319-622000771059}.dat

          Filesize

          5KB

          MD5

          06037a4541f0d3346926faf734e08518

          SHA1

          d24f2c3d3eb6342ae12ca41cb4f01638a332a7eb

          SHA256

          37d30bc9f1359b240dc1627f04068305fa15e79973e95222814971b574e79dec

          SHA512

          91d1848d3a04c3fe709443d8c8ff5199e71e28ad5e6fd9d65ef40ee006b5fde9d9d781bbefcbcd6dde23a8f1db8c6936405a2016b730aa7e21f64d3706fe9e3c

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA8EEB7A-C347-11EF-B319-622000771059}.dat

          Filesize

          3KB

          MD5

          0e0ce213f5ebcd6786f9367657c4030a

          SHA1

          4ed4a29d8983c6268c8c61f76ff390e26eaeba56

          SHA256

          f588d8b3ca8b3a6e3512723bbb3c871d04231c992cd6eba1048eedc55ea20f41

          SHA512

          b7c2afc99c21c5f190022550ca5ccd181fa8df433e56be3c6f6961c4a286fb3fe1dae4f74c9483cd00f8023dc4e192178b80844427be3d359285b29708adb79f

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verFA00.tmp

          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\suggestions[1].en-US

          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

        • C:\Windows\SysWOW64\rundll32mgr.exe

          Filesize

          60KB

          MD5

          9da34792f12bfb224d0b0d16f9f62292

          SHA1

          da65efc75ff8be031bac9ba02eda64597f657c52

          SHA256

          a434a29856702b0daa752fac298e3b27e08016ca210e9eefc1431957a9e20334

          SHA512

          6af27047219bf6e0ede8877df56576109e50973f66d704bd1a923a8fde9bc29d7ef929576ad24e19cf82a5ae4a550a36ead42a1e0deb23f41954cbaae2724a9c

        • memory/344-33-0x0000000010000000-0x000000001013A000-memory.dmp

          Filesize

          1.2MB

        • memory/344-1-0x0000000010000000-0x000000001013A000-memory.dmp

          Filesize

          1.2MB

        • memory/1952-13-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-12-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-8-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-7-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-9-0x00000000008B0000-0x00000000008B1000-memory.dmp

          Filesize

          4KB

        • memory/1952-6-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-10-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-5-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/1952-14-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/3580-32-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

          Filesize

          4KB

        • memory/3580-31-0x0000000001200000-0x0000000001201000-memory.dmp

          Filesize

          4KB

        • memory/4912-35-0x00000000772B2000-0x00000000772B3000-memory.dmp

          Filesize

          4KB

        • memory/4912-36-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4912-39-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4912-27-0x00000000008D0000-0x00000000008D1000-memory.dmp

          Filesize

          4KB

        • memory/4912-34-0x0000000000070000-0x0000000000071000-memory.dmp

          Filesize

          4KB

        • memory/4912-26-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4912-29-0x0000000000400000-0x0000000000421000-memory.dmp

          Filesize

          132KB

        • memory/4912-30-0x00000000772B2000-0x00000000772B3000-memory.dmp

          Filesize

          4KB