Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30/01/2022, 16:23 UTC

General

  • Target

    for u krishna my pic and video fldr/for u krishna my pic and video folder.exe

  • Size

    1.0MB

  • MD5

    7cf75ee5180b4896f93b762ea0057e04

  • SHA1

    633004d24a7dca046f10e419cd83728fd6be4a77

  • SHA256

    0ec4af0779080f9b0b534a6b1b6f1f09ee205cf49a4334046d683d1cce84d3a0

  • SHA512

    4019a01efd5be0a0aef9708e4c359147efbdb4066da7f2418ea5632686ddaac29247d201b5cf154276d22dad7c7b8d61523cb049bde9bd6048133a06ee4c1eee

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\for u krishna my pic and video fldr\for u krishna my pic and video folder.exe
    "C:\Users\Admin\AppData\Local\Temp\for u krishna my pic and video fldr\for u krishna my pic and video folder.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:528
    • C:\ProgramData\Dharvdv\rvmthgarna.exe
      "C:\ProgramData\Dharvdv\rvmthgarna.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4004

Network

  • flag-us
    DNS
    shareboxs.net
    rvmthgarna.exe
    Remote address:
    8.8.8.8:53
    Request
    shareboxs.net
    IN A
    Response
    shareboxs.net
    IN A
    198.54.115.198
  • flag-us
    POST
    http://shareboxs.net/indexer.php
    rvmthgarna.exe
    Remote address:
    198.54.115.198:80
    Request
    POST /indexer.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: shareboxs.net
    Content-Length: 271
    Expect: 100-continue
    Connection: Keep-Alive
    Response
    HTTP/1.1 301 Moved Permanently
    keep-alive: timeout=5, max=100
    content-type: text/html
    content-length: 707
    date: Sun, 30 Jan 2022 21:50:05 GMT
    server: LiteSpeed
    location: https://shareboxs.net/indexer.php
    x-turbo-charged-by: LiteSpeed
  • flag-us
    GET
    https://shareboxs.net/indexer.php
    rvmthgarna.exe
    Remote address:
    198.54.115.198:443
    Request
    GET /indexer.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: shareboxs.net
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    keep-alive: timeout=5, max=100
    x-powered-by: PHP/5.6.40
    content-type: text/html; charset=UTF-8
    content-length: 0
    date: Sun, 30 Jan 2022 21:50:06 GMT
    server: LiteSpeed
    x-turbo-charged-by: LiteSpeed
  • flag-us
    POST
    http://shareboxs.net/indexer.php
    rvmthgarna.exe
    Remote address:
    198.54.115.198:80
    Request
    POST /indexer.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: shareboxs.net
    Content-Length: 271
    Expect: 100-continue
    Response
    HTTP/1.1 301 Moved Permanently
    keep-alive: timeout=5, max=100
    content-type: text/html
    content-length: 707
    date: Sun, 30 Jan 2022 21:50:40 GMT
    server: LiteSpeed
    location: https://shareboxs.net/indexer.php
    x-turbo-charged-by: LiteSpeed
  • flag-us
    GET
    https://shareboxs.net/indexer.php
    rvmthgarna.exe
    Remote address:
    198.54.115.198:443
    Request
    GET /indexer.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: shareboxs.net
    Response
    HTTP/1.1 200 OK
    keep-alive: timeout=5, max=100
    x-powered-by: PHP/5.6.40
    content-type: text/html; charset=UTF-8
    content-length: 0
    date: Sun, 30 Jan 2022 21:50:41 GMT
    server: LiteSpeed
    x-turbo-charged-by: LiteSpeed
  • flag-us
    POST
    http://shareboxs.net/indexer.php
    rvmthgarna.exe
    Remote address:
    198.54.115.198:80
    Request
    POST /indexer.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: shareboxs.net
    Content-Length: 271
    Expect: 100-continue
    Response
    HTTP/1.1 301 Moved Permanently
    keep-alive: timeout=5, max=100
    content-type: text/html
    content-length: 707
    date: Sun, 30 Jan 2022 21:51:15 GMT
    server: LiteSpeed
    location: https://shareboxs.net/indexer.php
    x-turbo-charged-by: LiteSpeed
  • flag-us
    GET
    https://shareboxs.net/indexer.php
    rvmthgarna.exe
    Remote address:
    198.54.115.198:443
    Request
    GET /indexer.php HTTP/1.1
    Content-Type: application/x-www-form-urlencoded
    Host: shareboxs.net
    Response
    HTTP/1.1 200 OK
    keep-alive: timeout=5, max=100
    x-powered-by: PHP/5.6.40
    content-type: text/html; charset=UTF-8
    content-length: 0
    date: Sun, 30 Jan 2022 21:51:16 GMT
    server: LiteSpeed
    x-turbo-charged-by: LiteSpeed
  • 64.188.25.232:3263
    rvmthgarna.exe
    156 B
    3
  • 198.54.115.198:80
    http://shareboxs.net/indexer.php
    http
    rvmthgarna.exe
    754 B
    1.2kB
    7
    5

    HTTP Request

    POST http://shareboxs.net/indexer.php

    HTTP Response

    301
  • 198.54.115.198:443
    https://shareboxs.net/indexer.php
    tls, http
    rvmthgarna.exe
    908 B
    5.7kB
    11
    10

    HTTP Request

    GET https://shareboxs.net/indexer.php

    HTTP Response

    200
  • 64.188.25.232:4928
    rvmthgarna.exe
    156 B
    3
  • 198.54.115.198:80
    http://shareboxs.net/indexer.php
    http
    rvmthgarna.exe
    730 B
    1.2kB
    7
    5

    HTTP Request

    POST http://shareboxs.net/indexer.php

    HTTP Response

    301
  • 198.54.115.198:443
    https://shareboxs.net/indexer.php
    tls, http
    rvmthgarna.exe
    870 B
    5.7kB
    10
    9

    HTTP Request

    GET https://shareboxs.net/indexer.php

    HTTP Response

    200
  • 64.188.25.232:5861
    rvmthgarna.exe
    156 B
    3
  • 198.54.115.198:80
    http://shareboxs.net/indexer.php
    http
    rvmthgarna.exe
    638 B
    1.1kB
    5
    3

    HTTP Request

    POST http://shareboxs.net/indexer.php

    HTTP Response

    301
  • 198.54.115.198:443
    https://shareboxs.net/indexer.php
    tls, http
    rvmthgarna.exe
    778 B
    5.6kB
    8
    7

    HTTP Request

    GET https://shareboxs.net/indexer.php

    HTTP Response

    200
  • 8.8.8.8:53
    shareboxs.net
    dns
    rvmthgarna.exe
    59 B
    75 B
    1
    1

    DNS Request

    shareboxs.net

    DNS Response

    198.54.115.198

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-115-0x0000000003190000-0x0000000003192000-memory.dmp

    Filesize

    8KB

  • memory/528-117-0x0000000003192000-0x0000000003194000-memory.dmp

    Filesize

    8KB

  • memory/4004-120-0x000002D3C7270000-0x000002D3C7C18000-memory.dmp

    Filesize

    9.7MB

  • memory/4004-121-0x000002D3C97E0000-0x000002D3C97E2000-memory.dmp

    Filesize

    8KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.