Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
162s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30/01/2022, 16:01
Static task
static1
Behavioral task
behavioral1
Sample
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a.xls
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a.xls
Resource
win10-en-20211208
General
-
Target
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a.xls
-
Size
486KB
-
MD5
e061670462a35bb5f46803394f9ca733
-
SHA1
98f2431930d74308ac5f2cc0168ce5c0d7c23eb9
-
SHA256
20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a
-
SHA512
2378759e4e4b98631f3b0179aa9c08082dca95c9ef12946b201de26f2ce827c21fa2f5f078211553dc6ce5c2513be2bcd75557ebd2bb3c35486fc1d957452e7b
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab7f-319.dat family_crimsonrat behavioral2/files/0x000500000001ab7f-318.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
pid Process 4164 rdhmrarhsa.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3996 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE 3996 EXCEL.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 3996 wrote to memory of 4164 3996 EXCEL.EXE 73 PID 3996 wrote to memory of 4164 3996 EXCEL.EXE 73
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\20da161f0174d2867d2a296d4e2a8ebd2f0c513165de6f2a6f455abcecf78f2a.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\ProgramData\Hdlamar\rdhmrarhsa.exeC:\ProgramData\Hdlamar\rdhmrarhsa.exe2⤵
- Executes dropped EXE
PID:4164
-