Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

2f8e2c8300...66.pps

windows7_x64

10

2f8e2c8300...66.pps

windows10_x64

10

Analysis

  • max time kernel
    129s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30/01/2022, 15:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f8e2c8300b7854ff204375f5116854cee7c4ef11f9b080dce89713867fd7066.pps

  • Size

    831KB

  • MD5

    6c683aca669e1c448b0abce3df49fcb1

  • SHA1

    2c5686beca1f8b111f3a5568681004de526130f6

  • SHA256

    2f8e2c8300b7854ff204375f5116854cee7c4ef11f9b080dce89713867fd7066

  • SHA512

    30a7b2c804c7b7cf69a99ba7f614b4a4fb1b14ac7683ba1c5e8fad7269d9b3a950fc35eac92045ce1e5d96d399c5ba1f0a4bf6ef39648943cd8f1fd15b8daff6

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 3 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\2f8e2c8300b7854ff204375f5116854cee7c4ef11f9b080dce89713867fd7066.pps"
    1⤵
    • Loads dropped DLL
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1308
    • C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      2⤵
        PID:660
      • C:\Users\Admin\Maltimedia\wardhmrias.exe
        C:\Users\Admin\Maltimedia\wardhmrias.exe
        2⤵
        • Executes dropped EXE
        PID:784

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/660-57-0x000007FEFC261000-0x000007FEFC263000-memory.dmp

      Filesize

      8KB

      Download

    • memory/784-68-0x0000000002950000-0x0000000002952000-memory.dmp

      Filesize

      8KB

      Download

    • memory/784-69-0x000007FEF2D60000-0x000007FEF3DF6000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/784-70-0x0000000002956000-0x0000000002975000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1308-58-0x0000000075CE1000-0x0000000075CE3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1308-61-0x0000000005B00000-0x0000000005B02000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1308-64-0x0000000005140000-0x0000000005141000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1308-54-0x00000000749A1000-0x00000000749A5000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1308-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1308-55-0x0000000071A51000-0x0000000071A53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1308-71-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download