Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30/01/2022, 16:23 UTC
Static task
static1
Behavioral task
behavioral1
Sample
for u krishna my pic and video fldr/for u krishna my pic and video folder.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
for u krishna my pic and video fldr/for u krishna my pic and video folder.exe
Resource
win10-en-20211208
General
-
Target
for u krishna my pic and video fldr/for u krishna my pic and video folder.exe
-
Size
1.0MB
-
MD5
7cf75ee5180b4896f93b762ea0057e04
-
SHA1
633004d24a7dca046f10e419cd83728fd6be4a77
-
SHA256
0ec4af0779080f9b0b534a6b1b6f1f09ee205cf49a4334046d683d1cce84d3a0
-
SHA512
4019a01efd5be0a0aef9708e4c359147efbdb4066da7f2418ea5632686ddaac29247d201b5cf154276d22dad7c7b8d61523cb049bde9bd6048133a06ee4c1eee
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
resource yara_rule behavioral2/files/0x000500000001ab42-118.dat family_crimsonrat behavioral2/files/0x000500000001ab42-119.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
pid Process 4004 rvmthgarna.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4004 rvmthgarna.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 528 wrote to memory of 4004 528 for u krishna my pic and video folder.exe 69 PID 528 wrote to memory of 4004 528 for u krishna my pic and video folder.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\for u krishna my pic and video fldr\for u krishna my pic and video folder.exe"C:\Users\Admin\AppData\Local\Temp\for u krishna my pic and video fldr\for u krishna my pic and video folder.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:528 -
C:\ProgramData\Dharvdv\rvmthgarna.exe"C:\ProgramData\Dharvdv\rvmthgarna.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
Network
-
Remote address:8.8.8.8:53Requestshareboxs.netIN AResponseshareboxs.netIN A198.54.115.198
-
Remote address:198.54.115.198:80RequestPOST /indexer.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: shareboxs.net
Content-Length: 271
Expect: 100-continue
Connection: Keep-Alive
ResponseHTTP/1.1 301 Moved Permanently
content-type: text/html
content-length: 707
date: Sun, 30 Jan 2022 21:50:05 GMT
server: LiteSpeed
location: https://shareboxs.net/indexer.php
x-turbo-charged-by: LiteSpeed
-
Remote address:198.54.115.198:443RequestGET /indexer.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: shareboxs.net
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
x-powered-by: PHP/5.6.40
content-type: text/html; charset=UTF-8
content-length: 0
date: Sun, 30 Jan 2022 21:50:06 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
-
Remote address:198.54.115.198:80RequestPOST /indexer.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: shareboxs.net
Content-Length: 271
Expect: 100-continue
ResponseHTTP/1.1 301 Moved Permanently
content-type: text/html
content-length: 707
date: Sun, 30 Jan 2022 21:50:40 GMT
server: LiteSpeed
location: https://shareboxs.net/indexer.php
x-turbo-charged-by: LiteSpeed
-
Remote address:198.54.115.198:443RequestGET /indexer.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: shareboxs.net
ResponseHTTP/1.1 200 OK
x-powered-by: PHP/5.6.40
content-type: text/html; charset=UTF-8
content-length: 0
date: Sun, 30 Jan 2022 21:50:41 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
-
Remote address:198.54.115.198:80RequestPOST /indexer.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: shareboxs.net
Content-Length: 271
Expect: 100-continue
ResponseHTTP/1.1 301 Moved Permanently
content-type: text/html
content-length: 707
date: Sun, 30 Jan 2022 21:51:15 GMT
server: LiteSpeed
location: https://shareboxs.net/indexer.php
x-turbo-charged-by: LiteSpeed
-
Remote address:198.54.115.198:443RequestGET /indexer.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: shareboxs.net
ResponseHTTP/1.1 200 OK
x-powered-by: PHP/5.6.40
content-type: text/html; charset=UTF-8
content-length: 0
date: Sun, 30 Jan 2022 21:51:16 GMT
server: LiteSpeed
x-turbo-charged-by: LiteSpeed
-
156 B 3
-
754 B 1.2kB 7 5
HTTP Request
POST http://shareboxs.net/indexer.phpHTTP Response
301 -
908 B 5.7kB 11 10
HTTP Request
GET https://shareboxs.net/indexer.phpHTTP Response
200 -
156 B 3
-
730 B 1.2kB 7 5
HTTP Request
POST http://shareboxs.net/indexer.phpHTTP Response
301 -
870 B 5.7kB 10 9
HTTP Request
GET https://shareboxs.net/indexer.phpHTTP Response
200 -
156 B 3
-
638 B 1.1kB 5 3
HTTP Request
POST http://shareboxs.net/indexer.phpHTTP Response
301 -
778 B 5.6kB 8 7
HTTP Request
GET https://shareboxs.net/indexer.phpHTTP Response
200