Analysis Overview
SHA256
feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767
Threat Level: Known bad
The file feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767 was found to be: Known bad.
Malicious Activity Summary
CrimsonRAT Main Payload
Crimsonrat family
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-01-21 22:49
Signatures
CrimsonRAT Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Crimsonrat family
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 22:49
Reported
2022-01-21 22:51
Platform
win7-en-20211208
Max time kernel
135s
Max time network
136s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe
"C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 173.212.228.121:2836 | tcp | |
| DE | 173.212.228.121:5638 | tcp | |
| DE | 173.212.228.121:8626 | tcp |
Files
memory/744-53-0x0000000001270000-0x000000000145C000-memory.dmp
memory/744-54-0x0000000076041000-0x0000000076043000-memory.dmp
memory/744-55-0x0000000004F40000-0x0000000004F41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-21 22:49
Reported
2022-01-21 22:52
Platform
win10-en-20211208
Max time kernel
162s
Max time network
172s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe
"C:\Users\Admin\AppData\Local\Temp\feda78f1dff8bd9d850a154a627bcfb4041dc36c325be0db436ca85fe565f767.exe"
Network
| Country | Destination | Domain | Proto |
| DE | 173.212.228.121:2836 | tcp | |
| DE | 173.212.228.121:5638 | tcp | |
| DE | 173.212.228.121:8626 | tcp |
Files
memory/2324-115-0x0000000000BA0000-0x0000000000D8C000-memory.dmp
memory/2324-116-0x0000000005C20000-0x000000000611E000-memory.dmp
memory/2324-117-0x0000000005720000-0x00000000057B2000-memory.dmp
memory/2324-118-0x0000000005720000-0x0000000005C1E000-memory.dmp
memory/2324-119-0x00000000056F0000-0x00000000056FA000-memory.dmp