Overview

overview

10

Static

static

297a331c90...b8.exe

windows7_x64

10

297a331c90...b8.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    137s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    30-11-2020 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    297a331c90ab8923b7d44a8c2e59f7b8.exe

  • Size

    296KB

  • MD5

    297a331c90ab8923b7d44a8c2e59f7b8

  • SHA1

    881514ba7df186ec16ac03d279cb0c1df8afb948

  • SHA256

    4546bf50e116c0cc49d206b2be2815f2724944ba7aa0b305837f90dbddd863c7

  • SHA512

    41a6543f21c25f385adb8c604d991454d23c9e540a7ca24e86653de4b9232d581de67e2680c966ef8179f951b110c0246f602b6260e940432bf164d44936e52d

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\297a331c90ab8923b7d44a8c2e59f7b8.exe
    "C:\Users\Admin\AppData\Local\Temp\297a331c90ab8923b7d44a8c2e59f7b8.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:816
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\297a331c90ab8923b7d44a8c2e59f7b8-03-.doc" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1684
    • C:\ProgramData\Hinthavra\fhrnthivesa.exe
      "C:\ProgramData\Hinthavra\fhrnthivesa.exe"
      2⤵
      • Executes dropped EXE
      PID:3760

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Hinthavra\fhrnthivesa.exe
    MD5

    1db10d9e7e4e5f99b9e9a0dcc28b7bfe

    SHA1

    2881e9c1e7ead60c58baf5bf1586b5ab876604c2

    SHA256

    2732810cf41b3f9b37026327b3e70aa62fd6606d976fe7043b8e89e9de023ef5

    SHA512

    a5144f38c50fd9dd2fbaf83eb470385a01d21828d63a6ab370672c77afefaf624437fd628125c3d811b9c2f75ed42b08c22048dab4ab8429ae005ef2ac0d4fa1

    Download Submit

  • C:\ProgramData\Hinthavra\fhrnthivesa.exe
    MD5

    1db10d9e7e4e5f99b9e9a0dcc28b7bfe

    SHA1

    2881e9c1e7ead60c58baf5bf1586b5ab876604c2

    SHA256

    2732810cf41b3f9b37026327b3e70aa62fd6606d976fe7043b8e89e9de023ef5

    SHA512

    a5144f38c50fd9dd2fbaf83eb470385a01d21828d63a6ab370672c77afefaf624437fd628125c3d811b9c2f75ed42b08c22048dab4ab8429ae005ef2ac0d4fa1

    Download Submit

  • C:\Users\Admin\Documents\297a331c90ab8923b7d44a8c2e59f7b8-03-.doc
    MD5

    f64f49093d7ab643e82ed84653baff2f

    SHA1

    77342908c3d547aae2a1710e2ba94c44457459cb

    SHA256

    d136b6156b82ed61c6489d8fdd983747ec5817ba6784f7c6c13381ace789ad00

    SHA512

    6430764d7e530741dfb0f4cae38ad8ff8bf45abd324ac7fefdbf642a251fb30c6a27860171d9f8e2d411ce14cfc3ec6bdaea052010fc6ae06643884a26c58274

    Download Submit

  • memory/816-2-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/816-3-0x000002A61A090000-0x000002A61A091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1684-5-0x0000000000000000-mapping.dmp

    Download

  • memory/1684-6-0x00007FFB7F0C0000-0x00007FFB7F6F7000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3760-7-0x0000000000000000-mapping.dmp

    Download

  • memory/3760-10-0x00007FFB852D0000-0x00007FFB85CBC000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3760-11-0x000001E9E8390000-0x000001E9E8391000-memory.dmp

    Filesize

    4KB

    Download