crimsonrat | 69f998bd67a5dbfd79bcc44f0cf2284ed61fac9bfaba3d3b4dfb19a57baa29c5

General

Target

69f998bd67a5dbfd79bcc44f0cf2284ed61fac9bfaba3d3b4dfb19a57baa29c5.doc
Size

533KB
MD5

41b70737fa8dda75d5e95c82699c2e9b
SHA1

cd3bb41346fdc37053dc6b5a83f2c77fe4e2c3bf
SHA256

69f998bd67a5dbfd79bcc44f0cf2284ed61fac9bfaba3d3b4dfb19a57baa29c5
SHA512

1ceac62694165f281846bf27ebd693c8368fc28e487961b01c369ad3276ea63e97766e07b419f4140ba42b24bc350818104534b5bcff9635097f06a866b3acab

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000100000001abaa-12.dat	family_crimsonrat
behavioral2/files/0x000100000001abaa-13.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

rgiwsdasxa.exe

pid	Process
4020	rgiwsdasxa.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
648	WINWORD.EXE
648	WINWORD.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid	Process
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE
648	WINWORD.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

WINWORD.EXE

description	pid	Process	procid_target
PID 648 wrote to memory of 4020	648	WINWORD.EXE	76
PID 648 wrote to memory of 4020	648	WINWORD.EXE	76
PID 648 wrote to memory of 4020	648	WINWORD.EXE	76

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\69f998bd67a5dbfd79bcc44f0cf2284ed61fac9bfaba3d3b4dfb19a57baa29c5.doc" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:648
- C:\ProgramData\Hurmz\rgiwsdasxa.exe
  C:\ProgramData\Hurmz\rgiwsdasxa.exe
  2⤵
  - Executes dropped EXE
  PID:4020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hurmz\rgiwsdasxa.exe

MD5
2eb4469c76f5230c66626a6918c7664f

SHA1
6aedaf0ad86c7e45f19ff7a1ad1876bd18ff8b90

SHA256
ff4c5f6a1a5b68b956970751d56ee7905ec48ad39cc05416ee8ee958ecd0c40e

SHA512
723c8e35a2395b13da593eee13b42970b81429849e3b8e484767a2c5adcfe00d11cd78f1713e52e3f137f1df4cb3c9ab6660dc0cb89772690dace5a1ad740fbf

Download Submit
C:\ProgramData\Hurmz\rgiwsdasxa.exe

MD5
2eb4469c76f5230c66626a6918c7664f

SHA1
6aedaf0ad86c7e45f19ff7a1ad1876bd18ff8b90

SHA256
ff4c5f6a1a5b68b956970751d56ee7905ec48ad39cc05416ee8ee958ecd0c40e

SHA512
723c8e35a2395b13da593eee13b42970b81429849e3b8e484767a2c5adcfe00d11cd78f1713e52e3f137f1df4cb3c9ab6660dc0cb89772690dace5a1ad740fbf

Download Submit
memory/648-2-0x000002042EAA0000-0x000002042F0D7000-memory.dmp

Filesize
6.2MB

Download
memory/648-6-0x000002043054B000-0x0000020430552000-memory.dmp

Filesize
28KB

Download
memory/4020-11-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads