Malware Analysis Report

2024-10-19 10:21

Sample ID 210718-6wc5byvp2j
Target D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
SHA256 d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e
Tags
crimsonrat persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e

Threat Level: Known bad

The file D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe was found to be: Known bad.

Malicious Activity Summary

crimsonrat persistence

Crimsonrat family

CrimsonRAT Main Payload

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-07-18 08:02

Signatures

CrimsonRAT Main Payload

Description Indicator Process Target
N/A N/A N/A N/A

Crimsonrat family

crimsonrat

Analysis: behavioral1

Detonation Overview

Submitted

2021-07-18 08:02

Reported

2021-07-18 08:04

Platform

win7v20210410

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsecor = "C:\\ProgramData\\Mins\\mieces.exe" C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"

Network

Country Destination Domain Proto
N/A 79.143.181.178:8861 tcp

Files

memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmp

memory/1104-61-0x0000000000480000-0x0000000000481000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-07-18 08:02

Reported

2021-07-18 08:04

Platform

win10v20210408

Max time kernel

38s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsecor = "C:\\ProgramData\\Mins\\mieces.exe" C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe

"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"

Network

Country Destination Domain Proto
N/A 79.143.181.178:8861 tcp

Files

memory/4648-114-0x0000000000AA0000-0x0000000000AA1000-memory.dmp