Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22/03/2025, 21:25
General
-
Target
2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
-
Size
1.9MB
-
MD5
11440d40b4dcfc3cf8383f9097433bb8
-
SHA1
f0f69363ebceee5c5945f44867ab7feb7ea2f57b
-
SHA256
377031a94559fef772cda1593232a3b2c7fa6ac7ec57dc44a37cacef3cfa2c06
-
SHA512
36c10cdcd318638aab437a4bdd9e3088d5194dea1359786a960f1d595727f734349104c02cd5fab5258d95591a990ef9e1ec113958e1c81f27eff020b1f1feeb
-
SSDEEP
24576:87ZGy9+Acpjdv+K3eqA6dj6YU1s20UPxXMP2Wk4AX:+/Sp5AyAXtWk1
Malware Config
Signatures
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Ramnit family
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 28 IoCs
-
UPX packed file 7 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 8 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 51 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe"1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exeC:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2736 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{48260679-aa8e-31cb-f61d-594b52c3e74b}\Rockey4.inf" "9" "6281a14cb" "00000000000003F0" "WinSta0\Default" "00000000000005C0" "208" "C:\Windows\Temp"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{36a8f9bf-8bc3-257c-421a-dc2d45f15b29} Global\{54213acd-034c-6709-9110-d3708240ab12} C:\Windows\System32\DriverStore\Temp\{15533736-3ff8-0a91-5534-0d29af3cae37}\Rockey4.inf C:\Windows\System32\DriverStore\Temp\{15533736-3ff8-0a91-5534-0d29af3cae37}\Rockey4.cat2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005F4" "00000000000005F8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD583142242e97b8953c386f988aa694e4a
SHA1833ed12fc15b356136dcdd27c61a50f59c5c7d50
SHA256d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755
SHA512bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10
-
Filesize
344B
MD5058f45b64a29c9643e4f1c3a2256b30d
SHA116791c86c597f24ac7f2b55ecf68009005bf2d08
SHA25663574ebae514c052d8e85498cbc2493b68389f09251caf614ed1728d8ccf8262
SHA512b2852607528edddba7d3e1900b19b9bb4957c5d43802ee39ecec7e91bdf14c011c4ecbb94b7ad9697a77a6e0ddc2055802412244a64ea2ee772f6264c9bb4dc7
-
Filesize
344B
MD529051982064042ac0da839e9d885c7b1
SHA168463c7f42ee236e9ec01a29f51fab9de3fd9c32
SHA2568112f5086a8707e9ac913d64add4aa91d093b3437c670373b77230306066a703
SHA512b7b384e23ae5e0f6ccee5604d7ef8d9c8808cd285d0bc6fd2059bdd287cb96108308503481283b8caee3c12cd06959f5a44f488d24413d37eeb371285497659a
-
Filesize
344B
MD5328a0bee456a43d040f882567333755d
SHA1b50e1797813b2030bc251c0a6ba17a8bca5052de
SHA256c336688b5efe470bf2a38bc269ac7cab7c34e9c356783a851ccd6910e2c44073
SHA51250b23cf16ed37ece3bc0292b9dc2c39e970c142b65fca03b106f109a9c4863d4e2dd532b6cb7b9c8186cacbd6fba3240458b438fad91a9a8ce80e713c0eb01de
-
Filesize
344B
MD5e81d4c72d85b862db5ab8b479c3c1a9b
SHA16c0e4bd62fad7c3b072d5ff7e91e9467d2b447cc
SHA25607806e833817a7c8f9a56cc3cf58af61216a76c9252b2f335e53b10c2571c4f2
SHA512af9c660e552de97afb37a6de7296ab1bf160cc73d89130a5e95059d5d978d3e61fa598827d3751b7709830a79566e853e1b2821846d526fcb3e4f364248eb2a0
-
Filesize
344B
MD58eaa4e63b0b83d4be0b971fe2688708e
SHA112b12d38dc3b8c3392e5092c26bf1403d8072d56
SHA2568312444625e3de1545a1db0e4869abe650fc6c3c73c293f5ae46a571372a2294
SHA51268bd26d8d20663a66b3fe63506a6be4057b596500c26c3f23ee2b7edb7127db1ba3ec9af34299c105200e5db294e865a3a997c587192a9e2279c020a6e4c72f7
-
Filesize
344B
MD54be278a4d816a7538f9152dd1f9cfdbf
SHA1c66283c7814c19934d46f35d9eb9cb62f796e48e
SHA256456213173f6ba3753edac9a48e64c67f635e4ebff5c44ccc58ab336f17997ed0
SHA5124266014a4b7954d609c35a5c4a2e7e94cf032ae9c133d53a95d51ac1e57f75c82728e4b79b529cacf30c15d4152044c9d79034d2e32cecd2a862f227b40dd00d
-
Filesize
344B
MD5fea10bcdbc286f42e30353ff32839a41
SHA1703e9dc9475d4a909ffb6260c8fe02fe77ae7544
SHA2562656c1ce337601615fd6567c786aa2797b2bc219b4f4c699f9df4612b50a52c2
SHA5125cbf81e9f2e100a234092749a3e2b09c375f6580e97b1c81afcc2f76af6585339ce6e17a9e7876e6afb2a8c04a1787f2a3697d8ced8e9f3c8297e2e5d26814a7
-
Filesize
344B
MD5c8431b4c97001400704eda7d56114392
SHA13146c09f2215eaee07fe8682934ac0b224e43574
SHA256ba4377748518b01610dde31b102dd51f8623dca347cbfb75a7db9bc67a1ef82f
SHA5129c471c7a2b9133b5a3c105f8e1210ff02e73201e67cd298c998c3571d0fe0c24590abb79caecf6e71ad83739b5b6c34161232861d8e1f3f16090664e8b3c2fb4
-
Filesize
344B
MD500774d0e11eb7baf1afbfc1acc7f8e85
SHA106ddef06cc5756b89c8cac70635b6db58c47fa7f
SHA256c9744e972205fe76c0786b26e516c43efd9e012e273c0b966b50ec7ae25ae450
SHA512da3abf0585f783aeb916faf008c6c410a904e200a8ce9270831d341178d3139c2cdad1d80e98d504f896c2acc7649ddaba9ea52688954213d296622f2dfd5b4a
-
Filesize
344B
MD5111874b262889c31a554d00defe60fd6
SHA1acba5d54d71b47ecb010ca2c356e4560ec67478f
SHA256b5ca3cd5a4a2b75bf7206f4704dc856a6c49576aea6bbf4f74c7131ac1cc256c
SHA51263388a90a626ddd45b755d525be60ecea100548a6e955f29ebeae2787322c5fd7f295b6dc55d14b25a2ea0095257d86e779cae7645d9a62e777b58f1954cade0
-
Filesize
344B
MD5abd33faf99adaa5685cd1403d526c272
SHA1aba1332361a19f32d5d6051989bf8494bcb770d6
SHA25667ca00c80d0eabc336ec54f4da3f2a4200661c94c8c8660a1493d6cf664894da
SHA51251d33857933c8b2a6b1f46ad89402c3d622a5d380ebe35def1827b0b539de9d0626ce9c788465ce5b9d74546735fd94d0ed9c2272e81d31d08c791a32b35caa9
-
Filesize
344B
MD54c27abb1f159e5d5f61120598b7eb214
SHA15d3319fb32b8d34cf590e270024aaa8cd173aa74
SHA2560208e4449df411d283bc9b0bf84a531e2383d585e38496922e8a94fbaa6dc8f0
SHA512670780101474f8d68187eeed329c7133bfafe7813f30c6cbc9c01ffcbf1116864e68e77f149a1313d42213ffe3fb61fdda34ac485726e709822e8e88aa44f26b
-
Filesize
344B
MD5e18c277c19d6ac5357eaf3d78f7f1016
SHA16e04beb275fd4f61ee9d7d696ce35025437d5609
SHA256d9ec5e856d07ef972c6a10c2aafda79aaa1f4406922f288d03e46d0ab412a641
SHA5122282f2d2621574f9ffaa5cbf5746c9a522fa3e1ff6fd269439e5611c0ee26f58304308b37b1df5cf25c6de07856f853f71e1857dbbcb309cc201a0bd47195bf1
-
Filesize
344B
MD51543591905779464f8f7c37aceb0b933
SHA165c55ab09d861dceb8f3a2fc17575a2905c477c5
SHA256ebb477f1012fb0dae1cc03e8dd81eb2633a49259a1a944ec48f059ebff02e062
SHA512f7bb93c6c221ed2a1b0a59ddc2e5fd67fb97eea26690c6710c75ceada39035a334e9401505447e647652b479598fa507a56b310c2d81d871f311179f521b0879
-
Filesize
344B
MD571645e1357ca595f688ca47b6511cb40
SHA1ef1803c3fbb7113119b2327f33f90dcd18906edc
SHA2565e73a54f5e4fd53c0f85ed05fbf1f73383be9ab83c361df81c6baa9f88a3400d
SHA512b2d88c63ecfa0bc68b80691b10e5f66af02bf9a09e7f9cbdabc38e64282a92cf4a1ec7cba5c526efc17af6e9e8bd4b45c4999c1d1b35bee49b38d2cb3509672f
-
Filesize
344B
MD5bf0dc95d1858b2c48a0b28c98bfc4dfa
SHA13553eb43b430cfd538c4eb5a70c33c1cacd46147
SHA2564b20e05d4d0accbcd07a69b148c0b28807928caca0712507e269c5749e28f9eb
SHA512b56aad68e022aff2e9cd86d5dffe03512e9ad277a74db6064dcaf412ab74e032acd188e7ba18353eeaa64446a5aac16cd85687d2c165cefe468940e87f696248
-
Filesize
344B
MD5abcaee886bbe11b154826738b3de6098
SHA1a6d68f0359c89810ce3856390c612cc96d004a83
SHA256a3f243c6fbb0a35ed0029fd7216beddf68a4643f1b6df137854127bca8c92e5f
SHA512b2db858a330e4d8e673a9381619985a057ed2114f11a45e6c760237575a68705a1de9996b9e014b3729bd0785fe699d5378134fd61c2f119ddcfc3cac20dbcf7
-
Filesize
344B
MD5cf270c0ebec2af543ebd133fcf0bd22d
SHA14b6996a497258eeb134b433bb7ece79baf717fba
SHA25694810b4b24272c41c5a50208c4a2b1e64acc14f3f78435ae233a32556d78e47f
SHA512c82642ff090d4fb022125caa9ed6f7f9416a10a7276b237f3b1e6117300c3bfc1d4691652ab449c3c4d51dda2dda747e558c9dfa5380e40615f1005855c9f062
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
183KB
MD5109cab5505f5e065b63d01361467a83b
SHA14ed78955b9272a9ed689b51bf2bf4a86a25e53fc
SHA256ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673
SHA512753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
3KB
MD53ce2e5aeef01fa93d94868953406856b
SHA110d56292d022f39d8ceefded624f8522f5bdccfd
SHA2568cf87f05e75dd558eac842ea3eeda9cafe675d4c6d1eaa211c403b7de2e599cb
SHA512ffeb48efa4254d11d398eb6197ec1a8c0ae398d0bd3dd1cd7d3f66fd8f8e252e726b8adcf651c6e2f2bd9a78023151ca2103349bb63f788aef306010f6f983fc
-
Filesize
29KB
MD56b9b088f4921b5114f7916a1cfa90f51
SHA1be3d21cf1a9eae23ff0464f2ee19d60891ba8777
SHA256a3fbfe4c4c5195524107d1127e8165d53319f306e07647022a6557750f0b2c29
SHA512961c9e56bb62098989d55a951da4b05db56d15ca26ca85f9413139f24ae3624056c33d16d711819f1cac97469fa456578fedcd30dde773d87523a29cb337a98d
-
Filesize
20KB
MD5a215e31da7fc0369e315132303582b5b
SHA13dbb87e75c01ad93845a6c90602bdcd49f5e1882
SHA256a55c1b52240efb612b0771f35797f2aa68b249be7f7da930a0ee5d8212c7f7a7
SHA512c5d132725c3f41357b517341a28220cf205cba4c49376908b03e8780c6c456db70724f48b3ce89f90edb9e865308a607a41db0571e8e871c503e0ff251ce76a2
-
Filesize
6KB
MD55d1e774106c240e330e7384f8bd2835c
SHA10e6bfc62067d52540eb84852eb1e160fb646e4d5
SHA256fab2055534c54c8c8d3df3065a481fb8b2d1bc052c29ac500634ba63f32fea09
SHA51248c4d2ac25e8e3f128201cc0503de7cdb952ad849fe760c112bf32ff0e9df96da16fa356ab99f64cb45eb3a4314fc3bfdc852e06a1263c4cd681c7b42b9df578
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
9KB
MD5f5e17a72ecbe8f0556423e796124f785
SHA160b887c365c0541e0aa1518ac687bc3eb7e60a4c
SHA256d0e390cbe3a1313d0b4348bfdc9da947616fc7dda4ecc414468b5f2151f5b60f
SHA5124f85087d92b2b6494cb2a1d281c34bb72fa6bd9f31d3369aa9729ba12d320618836f2d25dc92dcec18b1c9cfa0f3977bff809d179a988ddacaf67acfe06ea9c4
-
Filesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
Filesize
412KB
MD528777af4daf84f9ad4145f7105e02477
SHA1f2100f4812007a253134d4e134e6208a78263a2c
SHA2567e0f6280add4c6000d6bf548402e849b83047b960ad89be067ae87e4dc103b77
SHA512543e81509693ed6b75f9dbce536ab15f1bcac5f1fc71646b53ac2bafd2af5859add9acf21b247719e2cf6d2974c3c8552a1fb2f13d3f3be428099fc62e62dcad
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
4KB
-
Filesize
60KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
184KB