Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    155s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    30/01/2022, 16:01

General

  • Target

    20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a.xls

  • Size

    486KB

  • MD5

    e061670462a35bb5f46803394f9ca733

  • SHA1

    98f2431930d74308ac5f2cc0168ce5c0d7c23eb9

  • SHA256

    20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a

  • SHA512

    2378759e4e4b98631f3b0179aa9c08082dca95c9ef12946b201de26f2ce827c21fa2f5f078211553dc6ce5c2513be2bcd75557ebd2bb3c35486fc1d957452e7b

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 3 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a.xls
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1772
    • C:\ProgramData\Hdlamar\rdhmrarhsa.exe
      C:\ProgramData\Hdlamar\rdhmrarhsa.exe
      2⤵
      • Executes dropped EXE
      PID:704

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/704-64-0x0000000000E60000-0x0000000000E62000-memory.dmp

    Filesize

    8KB

  • memory/704-65-0x000007FEF2560000-0x000007FEF35F6000-memory.dmp

    Filesize

    16.6MB

  • memory/704-66-0x0000000000E66000-0x0000000000E85000-memory.dmp

    Filesize

    124KB

  • memory/1772-55-0x000000002F981000-0x000000002F984000-memory.dmp

    Filesize

    12KB

  • memory/1772-56-0x0000000071421000-0x0000000071423000-memory.dmp

    Filesize

    8KB

  • memory/1772-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1772-58-0x00000000762C1000-0x00000000762C3000-memory.dmp

    Filesize

    8KB

  • memory/1772-59-0x000000006CC81000-0x000000006CC83000-memory.dmp

    Filesize

    8KB

  • memory/1772-60-0x00000000060A0000-0x00000000060A2000-memory.dmp

    Filesize

    8KB