Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    93s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/12/2024, 05:55

General

  • Target

    b79592748b232a9a56ffbc5073ca7e34936d3514ae23e54303c5306313171d16.dll

  • Size

    220KB

  • MD5

    ee4be9785927807e79d978973718d718

  • SHA1

    12d55fb9ff9a875262b9d2989f9010dfc9f321b4

  • SHA256

    b79592748b232a9a56ffbc5073ca7e34936d3514ae23e54303c5306313171d16

  • SHA512

    dc36d9dd0c0681758681dd6994decabc953d5a490e0b168d8f1b3cabcb51eb95f3260f36f7cf05abe8fb7e44d096f7f655db750f08ca9796b1362255df0ef004

  • SSDEEP

    3072:QgKKuiX63bw5dNjDh8pWVgTlFIYnT1rXk1LGYrM/OkiHfnt:BKZp3KNjVGvRr+LGJ/OkGft

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

  • Ramnit family
  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 3 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\b79592748b232a9a56ffbc5073ca7e34936d3514ae23e54303c5306313171d16.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4468
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\b79592748b232a9a56ffbc5073ca7e34936d3514ae23e54303c5306313171d16.dll,#1
      2⤵
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4744
      • C:\Windows\SysWOW64\rundll32mgr.exe
        C:\Windows\SysWOW64\rundll32mgr.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of UnmapMainImage
        • Suspicious use of WriteProcessMemory
        PID:4712
        • C:\Program Files (x86)\Microsoft\WaterMark.exe
          "C:\Program Files (x86)\Microsoft\WaterMark.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of UnmapMainImage
          • Suspicious use of WriteProcessMemory
          PID:3916
          • C:\Windows\SysWOW64\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:236
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 236 -s 204
                6⤵
                • Program crash
                PID:216
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2576
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2576 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:4436
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe"
              5⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1308
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1308 CREDAT:17410 /prefetch:2
                6⤵
                • System Location Discovery: System Language Discovery
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:3696
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 236 -ip 236
      1⤵
        PID:1492

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        471B

        MD5

        73d8dd7eaa8896905e31f1960f51ece1

        SHA1

        164e031603e75d95091220c5ff0d695547f6d3ae

        SHA256

        9ff75ab638fe252bd0d04aea3f0ce38270ffc8df5db9399f9ea45aaef196dddc

        SHA512

        4879585482992d7ea3ee02775b74592b06daab32a63dc7700dd4da40c45a524f3bcfc2beff928a85563f09ad0438be5b3e458bc3d0cd08ad146d416fec014a04

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        9715d4964a568ea61dc8b7173408b204

        SHA1

        48331b8217f45e08d85586d07e58d10cec96212c

        SHA256

        6fc7eed4500da0ae618485d41e64305306fb8adef6c4aed665e0316834d755ab

        SHA512

        d0bc72431f51645b07287334d44166f195b3909a528895f7d1ccc25ab73d63b0048a2d10d2b54b0a4f4c394f4476d3f42a86a18f4e0879d0d789ec65ddd2a12e

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

        Filesize

        404B

        MD5

        9fe0b2731333f838348fae6cb48af95b

        SHA1

        4c03166508e55f23af8b18050cd0807bb2bb6420

        SHA256

        a6639d68277263add626524a681c01b46d68a3147d212fded021310bb77e80e3

        SHA512

        981f79d115d8dfcfa5f2496d039a5f28e9c09057225ff4eed631000691cf3efb7c6998e7669873031ad85e9a7d0f231dedafe7636e051007f5b1ad9a957d5694

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{168AED39-C34E-11EF-AEE2-468C69F2ED48}.dat

        Filesize

        3KB

        MD5

        376ffaa1ffd76a76a97dbf0460dd292b

        SHA1

        9d126ec24f324f364b4bf0f50e261a80d1ab3b47

        SHA256

        fd9c48f7cd47fe8782e6066553e9f0c08a8133978a799f4c260f2633b79ab9ab

        SHA512

        cf61d96fdfdb8d0feea1c4c15ac38528f08c932f4c2c05c07d0c48a48eb7ff630b1b3290701d1ed57546622a077750628c1a61406468195ae02a7b988447dcc9

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{168B1449-C34E-11EF-AEE2-468C69F2ED48}.dat

        Filesize

        5KB

        MD5

        c3389e30ca5e3f1bb2807e9702bd9151

        SHA1

        1be9a90dc876287b755e4426d691ed18e98a58a2

        SHA256

        4a2038093072c98161a7713e9003e44f71ae0fd9fba7261870b779bc6d932a86

        SHA512

        b1dedf03a09c03c05046d3729920995c51679b0a22bb554ffee97ed99faa58680d02f323b848b3ebb16a0981523a631bc2ad20639416bfa51ca905f972c5c4f1

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2026.tmp

        Filesize

        15KB

        MD5

        1a545d0052b581fbb2ab4c52133846bc

        SHA1

        62f3266a9b9925cd6d98658b92adec673cbe3dd3

        SHA256

        557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

        SHA512

        bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\M6JHG9EK\suggestions[1].en-US

        Filesize

        17KB

        MD5

        5a34cb996293fde2cb7a4ac89587393a

        SHA1

        3c96c993500690d1a77873cd62bc639b3a10653f

        SHA256

        c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

        SHA512

        e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      • C:\Windows\SysWOW64\rundll32mgr.exe

        Filesize

        103KB

        MD5

        424873689d318369e458684a7d47bf18

        SHA1

        cc85aecf385fa222d3073d2aa53dcd0b3eb62068

        SHA256

        04a22ca7674eedef61f9dac1dd7ad08460ff0c0d4e71ba34aa2469bebec8029c

        SHA512

        53e67ebd100ade88ce81477eaf54b0592da0feb461c8e63cb46420a82d3d26bac93eb75455fd745d3277a31f9d6841f356267b685fb55fe4236833a0e79bef8f

      • memory/236-36-0x0000000000C60000-0x0000000000C61000-memory.dmp

        Filesize

        4KB

      • memory/236-35-0x0000000000C80000-0x0000000000C81000-memory.dmp

        Filesize

        4KB

      • memory/3916-26-0x0000000000400000-0x000000000049A000-memory.dmp

        Filesize

        616KB

      • memory/3916-43-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3916-31-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3916-44-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3916-29-0x00000000001E0000-0x00000000001E1000-memory.dmp

        Filesize

        4KB

      • memory/3916-32-0x0000000077762000-0x0000000077763000-memory.dmp

        Filesize

        4KB

      • memory/3916-37-0x0000000077762000-0x0000000077763000-memory.dmp

        Filesize

        4KB

      • memory/3916-39-0x0000000000400000-0x000000000049A000-memory.dmp

        Filesize

        616KB

      • memory/3916-40-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/3916-38-0x0000000000070000-0x0000000000071000-memory.dmp

        Filesize

        4KB

      • memory/4712-14-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-8-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-11-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-13-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-15-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-7-0x0000000000400000-0x000000000049A000-memory.dmp

        Filesize

        616KB

      • memory/4712-30-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

      • memory/4712-12-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

      • memory/4712-10-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-9-0x0000000000400000-0x0000000000421000-memory.dmp

        Filesize

        132KB

      • memory/4712-6-0x0000000000401000-0x0000000000404000-memory.dmp

        Filesize

        12KB

      • memory/4712-4-0x0000000000400000-0x000000000049A000-memory.dmp

        Filesize

        616KB

      • memory/4744-1-0x0000000010000000-0x0000000010039000-memory.dmp

        Filesize

        228KB