Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
90s -
max time network
91s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
24/01/2025, 21:16
Static task
static1
Behavioral task
behavioral1
Sample
c5a5958c8a6eadefa872704f3fc5c84bc6bca1bd7148039641f71c94e07111e1.dll
Resource
win7-20240729-en
General
-
Target
c5a5958c8a6eadefa872704f3fc5c84bc6bca1bd7148039641f71c94e07111e1.dll
-
Size
232KB
-
MD5
056cf9cd2d87cd3ed65015921c9c7e25
-
SHA1
99a8a59d984fe663828a368fbb484ed50a2e199d
-
SHA256
c5a5958c8a6eadefa872704f3fc5c84bc6bca1bd7148039641f71c94e07111e1
-
SHA512
c518186dd5e2d321277920230a95465f76a74bb7b489fefcdf9d2688adba19f03fa754ce532a859564e0bd7591f378bdf31b41d06b06c0616ab839c6d5f23f95
-
SSDEEP
3072:h+aJd9iRyxPqPYk4K2+QOtvhgWtx50GB/oMpl8aXYQ+cIPKc+4r:gaGyxPqgk4V/OJ30G59pl82O9pr
Malware Config
Signatures
-
Ramnit family
-
Executes dropped EXE 2 IoCs
pid Process 2532 rundll32Srv.exe 2856 DesktopLayer.exe -
Loads dropped DLL 2 IoCs
pid Process 2132 rundll32.exe 2532 rundll32Srv.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\SysWOW64\rundll32Srv.exe rundll32.exe -
resource yara_rule behavioral1/memory/2132-5-0x0000000000140000-0x000000000016E000-memory.dmp upx behavioral1/files/0x000b00000001225e-2.dat upx behavioral1/memory/2532-8-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2532-13-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2856-20-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2856-23-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2856-22-0x0000000000400000-0x000000000042E000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft\px1C47.tmp rundll32Srv.exe File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe rundll32Srv.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32Srv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DesktopLayer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8C4CF2C1-DA98-11EF-85F9-DEBA79BDEBEA} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443915297" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2856 DesktopLayer.exe 2856 DesktopLayer.exe 2856 DesktopLayer.exe 2856 DesktopLayer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2392 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2392 iexplore.exe 2392 iexplore.exe 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE 2608 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2188 wrote to memory of 2132 2188 rundll32.exe 30 PID 2132 wrote to memory of 2532 2132 rundll32.exe 31 PID 2132 wrote to memory of 2532 2132 rundll32.exe 31 PID 2132 wrote to memory of 2532 2132 rundll32.exe 31 PID 2132 wrote to memory of 2532 2132 rundll32.exe 31 PID 2532 wrote to memory of 2856 2532 rundll32Srv.exe 32 PID 2532 wrote to memory of 2856 2532 rundll32Srv.exe 32 PID 2532 wrote to memory of 2856 2532 rundll32Srv.exe 32 PID 2532 wrote to memory of 2856 2532 rundll32Srv.exe 32 PID 2856 wrote to memory of 2392 2856 DesktopLayer.exe 33 PID 2856 wrote to memory of 2392 2856 DesktopLayer.exe 33 PID 2856 wrote to memory of 2392 2856 DesktopLayer.exe 33 PID 2856 wrote to memory of 2392 2856 DesktopLayer.exe 33 PID 2392 wrote to memory of 2608 2392 iexplore.exe 34 PID 2392 wrote to memory of 2608 2392 iexplore.exe 34 PID 2392 wrote to memory of 2608 2392 iexplore.exe 34 PID 2392 wrote to memory of 2608 2392 iexplore.exe 34
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5a5958c8a6eadefa872704f3fc5c84bc6bca1bd7148039641f71c94e07111e1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c5a5958c8a6eadefa872704f3fc5c84bc6bca1bd7148039641f71c94e07111e1.dll,#12⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\rundll32Srv.exeC:\Windows\SysWOW64\rundll32Srv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2392 CREDAT:275457 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2608
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56723d34d51a98f0e52051576d42d1201
SHA1bda320735acb9ad7d5ef2f9ec4e3de77df4cf260
SHA256e86735d65b03cd306c1ad4eead1478d9a2597f17c379c7570454a9061054a5a2
SHA512070d032d387831da441695cdc23f3fbee96e635725f65d1659a8fd80ea5c1a79714b461f49fb1915e7ecb202e463770be26ca46992940308ee8d0e7c046b8c11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c253f26971ac55ece2823e5d211960a2
SHA19bc69123cbaec35413d87539b4a4d38fc57ab6b2
SHA2569756a1e46bbcf3695bf5d812ae681535004448d0dadca20eeade8a01f1dd4a4f
SHA512d4f1039faf80d7e815c4df67972ab22143f0195c503694b8d7c5984a3dd850267b8f9f915344a59301bc3f6916036c0f5d651b73033791fa15bd40f632c0c0f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b2079cd5ba41357495aae7af0682550e
SHA11898050d6830e589607539808c8c80cd6464ba1a
SHA256795a6e46821c16c684075a6b0f60539df94da5fdeed5f77dc861188221c4e784
SHA512a09a5a1bc823a4df01fd4e08a874ae02c3f7c29b3649de0ac4164b4f81afef1e1e46e4b1f4233a19f2c65a4e1ae788eb77e0203e616a4c1c0a88c8803b22e205
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e33e42cbad14fee46171889c4130ecc7
SHA1d0c181142c2ee49366e3ca7a11dce4177c1c69a0
SHA25621ab1dabb5c2ab710db6e2ef66dae2d5dfe1b12005bd86cedeed4b5a239b1d9b
SHA5128bbe1dd006fadfe4bab40aa9f025f8f17079bb363750deee1ccd9152ca0e1537b251172b7c13f33321918ac93857a671cf788e7b507c5935dbceec67818f89c1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ed8b5a6d388f242925b5b3408aafe685
SHA12d76fd29378f3f760c069f7c5ac8fc357e887295
SHA2561f1fdc3d0fe0e5bb6c28c8a9e11018f5244b2f728ff3e8db5a3ed539ef70eb6e
SHA512a74bcbc76907bda211e3d727f35e948ed120037979d7325b7ea617c9ff1202b0bcaa8be7620e9ab55c8b795ba2fd81cdb43299f1c50461f4a468ab979b71436c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD588b4c38a25f19ea488fe2003f9055d1a
SHA16049cb97a94afe4b1a05676bdf846412f03e96c4
SHA2564687e15afe1f1284bfc7c27348acb1229a8a8b718b17f94635a3b92c1a1823cb
SHA512aebca4a27337bab9cdb102b71e4e50eda15befba3c8aab76b8ad9e8b6ffe17dace1b877d7b2135852cbda6f9cf145bc6978c21eed4e200cbf244afd4bd5cabdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD544962f825df6f3fa5ab4b35c384fad88
SHA1c104f47b4cf38f51b3c5af5213de4c4711979f29
SHA25641c5e2b39bdb8c7f26b93d3bc30522eba7f03136abb6da4629a70806b06cdbbb
SHA512625676dc04729868238323f3cbf00b4b37810d7b53eca97fd0606455b848e77eb7a6315797c406f2756128b487fee048a048be655dd9af7b4ded5ed0868648d9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50d57a0c000579034924be3ad8c6514ea
SHA1a8a96660402eecf55672fc4dcd443e029f7dbf4b
SHA2565351f84fe4fa8f7743fd4b51eda4d972d9fe16f80fe148df8fa7af53e44b08fb
SHA512c8b78643cd6bef3f544d7af05933bc3976abea8d6c4ae6075a110713ab66d9437e2a02c4e0c3a2b94fdbe193e4625d58ac2799753f9b1e917fe7f0ce81eaf4a5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50548a82586607cf3a0320cac4dea1c11
SHA158f25712b175d0f3de4ea249b27ee804441708a2
SHA256cb87e5140b0efe676b71f13d5288e14a75ceb371a428aa2a8aa188894e51ce13
SHA512468bc248dba2f4d1fea2dd9b99b91c1829e04ee2f2f2349da21c6aeec19ecad21023bfe97767c152d0fe28002a675866c65c4d5f576468fb476bf68da831b892
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d3c8cb2e1daf9119f78175f91e0100ed
SHA18dfc85a26ecb5a3c7786a82eb2b8effc329fadff
SHA2561f28136480e936c0f5d6473d598c898bbb14d0294fe3f357b10354310fdca469
SHA51282ffe95a31a4c88d339edd59b9340a1fccac9b9e776410c65de45ef80559fe7f50abeb3251cf323c189ab1992351c7ab0efa8b4bc7d07d10d14748648e53182f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593be9c4208564f8bfc87ed5a66e8eadc
SHA1038c55d62523e4571f437c5e80a91dbf6e203efe
SHA2564825e7e1cf6bf1d916fe29753856fe51d2606dfa66c30b44bfc5c5c517f26a4b
SHA5123043446d8b1e96cdcfcf46c2ea064161a2a9a0503a089a69e45ae6f1422b7a0038bf8fd32d373357e4e9c89c04e9acf8ac6fa8df6293d31b285eac3c71c39da6
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a