Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

d76f3053f1...c1.exe

windows7-x64

10

d76f3053f1...c1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    92s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 05:44 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1.exe

  • Size

    294KB

  • MD5

    7e2866b0b8d0cfa03f53e7503dbf985e

  • SHA1

    cc9e74bd26fa22ba4534155fd45837c593c2ff77

  • SHA256

    d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1

  • SHA512

    7cbe93521357cc78fca62017d5c3b5e198c49fdf5a4fd4499f1ab2785184720acce75186f0e2f7d6c65af7bba1427cfb770f3970d71ed68256f9646d4dc760f5

  • SSDEEP

    6144:9pHIJY18OuVXPF+u464y1Jfu/ZR5zgVoaO/r5oFBf8dYdyQ:9uve6DIXuBkCUQ

Score
10/10
ramnitbankerdiscoveryspywarestealertrojanupxworm

Malware Config

Signatures

  • Ramnit

    Ramnit is a versatile family that holds viruses, worms, and Trojans.

    trojanspywarestealerwormbankerramnit
  • Ramnit family
    ramnit
  • Executes dropped EXE 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1.exe
    "C:\Users\Admin\AppData\Local\Temp\d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1Srv.exe
      C:\Users\Admin\AppData\Local\Temp\d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1Srv.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Program Files (x86)\Microsoft\DesktopLayer.exe
        "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3368
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3616 CREDAT:17410 /prefetch:2
            5⤵
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:4244

Network

  • flag-us
    DNS
    13.86.106.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    13.86.106.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    api.bing.com
    iexplore.exe
    Remote address:
    8.8.8.8:53
    Request
    api.bing.com
    IN A
    Response
    api.bing.com
    IN CNAME
    api-bing-com.e-0001.e-msedge.net
    api-bing-com.e-0001.e-msedge.net
    IN CNAME
    e-0001.e-msedge.net
    e-0001.e-msedge.net
    IN A
    13.107.5.80
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    22.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    22.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    5.114.82.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    5.114.82.104.in-addr.arpa
    IN PTR
    Response
    5.114.82.104.in-addr.arpa
    IN PTR
    a104-82-114-5deploystaticakamaitechnologiescom
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    133.211.185.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    133.211.185.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    50.23.12.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    50.23.12.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    161.19.199.152.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    161.19.199.152.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    89.121.18.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    89.121.18.2.in-addr.arpa
    IN PTR
    Response
    89.121.18.2.in-addr.arpa
    IN PTR
    a2-18-121-89deploystaticakamaitechnologiescom
  • flag-us
    DNS
    200.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    200.197.79.204.in-addr.arpa
    IN PTR
    Response
    200.197.79.204.in-addr.arpa
    IN PTR
    a-0001a-msedgenet
  • 204.79.197.200:443
    ieonline.microsoft.com
    tls, http2
    iexplore.exe
    1.2kB
     8.3kB
     15
    14
  • 8.8.8.8:53
    13.86.106.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    13.86.106.20.in-addr.arpa

  • 8.8.8.8:53
    api.bing.com
    dns
    iexplore.exe
    58 B
     134 B
     1
    1

    DNS Request

    api.bing.com

    DNS Response

    13.107.5.80

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    22.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    22.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    5.114.82.104.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    5.114.82.104.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
     144 B
     1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    133.211.185.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    133.211.185.52.in-addr.arpa

  • 8.8.8.8:53
    50.23.12.20.in-addr.arpa
    dns
    70 B
     156 B
     1
    1

    DNS Request

    50.23.12.20.in-addr.arpa

  • 8.8.8.8:53
    161.19.199.152.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    161.19.199.152.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    89.121.18.2.in-addr.arpa
    dns
    70 B
     133 B
     1
    1

    DNS Request

    89.121.18.2.in-addr.arpa

  • 8.8.8.8:53
    200.197.79.204.in-addr.arpa
    dns
    73 B
     106 B
     1
    1

    DNS Request

    200.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    dc142ff8759ecb81417ba231bbcf25d0

    SHA1

    201681d524cde8af5c11b5111f5fa697521c5739

    SHA256

    d6e2a573b1e137d8b823b82cfeaadeb30df36a0fa7a268a1278465b28fdc7bb6

    SHA512

    b36456cf3ef37e4bbe0e4acf8b25cc85a39f8517d1b80b3191b1be7ddc6d58c74247b2d9dedb0b67ac4f8a2f3d92773e90aee326cfe612f8573ba6ad6b73e833

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    9dc0c5bbe53353dec50af851fa41429a

    SHA1

    30895a8f46bff75b47fd0ec633276902cd5f7f7f

    SHA256

    d76d65451c180b2d375485e52ddf04fe3c9de07a3b2ff87a6f6796687f51e3b5

    SHA512

    dcb5e43fcaaefb9c7c6dc0d26815760b884d76f0960212398f8752a3b4a44d95ef9dec21163292f737c3c2f0208a11948399be803590073f8ee5b307a3df5718

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJLDY7V\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\d76f3053f1adc61b301254e79609c1f742af1b6f2f522d28115938e93921f4c1Srv.exe
    Filesize

    55KB

    MD5

    ff5e1f27193ce51eec318714ef038bef

    SHA1

    b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

    SHA256

    fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

    SHA512

    c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

    Download Submit

  • memory/1116-4-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1116-7-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1116-6-0x00000000006A0000-0x00000000006AF000-memory.dmp

    Filesize

    60KB

    Download

  • memory/1216-0-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/1216-17-0x0000000000400000-0x000000000044D000-memory.dmp

    Filesize

    308KB

    Download

  • memory/3368-13-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3368-14-0x0000000000490000-0x0000000000491000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3368-15-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.