Analysis Overview
SHA256
d046e766c9c755c88427a91d0dfcfca5659ade83bfd346315aeebc52c485208e
Threat Level: Known bad
The file D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe was found to be: Known bad.
Malicious Activity Summary
Crimsonrat family
CrimsonRAT Main Payload
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-07-18 08:02
Signatures
CrimsonRAT Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Crimsonrat family
Analysis: behavioral1
Detonation Overview
Submitted
2021-07-18 08:02
Reported
2021-07-18 08:04
Platform
win7v20210410
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsecor = "C:\\ProgramData\\Mins\\mieces.exe" | C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 79.143.181.178:8861 | tcp |
Files
memory/1104-60-0x0000000076E11000-0x0000000076E13000-memory.dmp
memory/1104-61-0x0000000000480000-0x0000000000481000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-07-18 08:02
Reported
2021-07-18 08:04
Platform
win10v20210408
Max time kernel
38s
Max time network
151s
Command Line
Signatures
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\wsecor = "C:\\ProgramData\\Mins\\mieces.exe" | C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe
"C:\Users\Admin\AppData\Local\Temp\D046E766C9C755C88427A91D0DFCFCA5659ADE83BFD34.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 79.143.181.178:8861 | tcp |
Files
memory/4648-114-0x0000000000AA0000-0x0000000000AA1000-memory.dmp