Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
167s -
max time network
174s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30/01/2022, 15:47
Static task
static1
Behavioral task
behavioral1
Sample
2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0.xls
Resource
win10-en-20211208
General
-
Target
2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0.xls
-
Size
422KB
-
MD5
48476da4403243b342a166d8a6be7a3f
-
SHA1
6e089605173097205a7906a796ad7c8315feba9c
-
SHA256
2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0
-
SHA512
1bb134eb6eaa1759fab21309cc527c98935f7af73625c07e7cf7e1837978d741c1f6d8a4df4dc9b81126e86aa59424dd3372ab16ddf31787e1bb8aa0a7658eef
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
resource yara_rule behavioral2/files/0x000700000001ab54-305.dat family_crimsonrat behavioral2/files/0x000700000001ab54-304.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
pid Process 4576 ulhtagnias.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 784 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 26 IoCs
pid Process 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE 784 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 784 wrote to memory of 4576 784 EXCEL.EXE 71 PID 784 wrote to memory of 4576 784 EXCEL.EXE 71
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\2aa160726037e80384672e89968ab4d2bd3b7f5ca3dfa1b9c1ecc4d1647a63f0.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:784 -
C:\ProgramData\DeIA-GIR\ulhtagnias.exeC:\ProgramData\DeIA-GIR\ulhtagnias.exe2⤵
- Executes dropped EXE
PID:4576
-