Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
General
-
Target
https://github.com/enginestein/Virus-Collection
-
Sample
250130-ykhlea1la1
Malware Config
Extracted
crimsonrat
185.136.161.124
Extracted
C:\g6QpgrhJDdQZeF0\DECRYPT_YOUR_FILES.HTML
Targets
-
-
Target
https://github.com/enginestein/Virus-Collection
Score10/10-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Crimsonrat family
-
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
-
Fantom family
-
Renames multiple (1019) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Modifies WinLogon
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Modify Registry
5Subvert Trust Controls
1SIP and Trust Provider Hijacking
1