Analysis
-
max time kernel
117s -
max time network
130s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 22:52
Static task
static1
Behavioral task
behavioral1
Sample
Personal Data/Personal Data.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Personal Data/Personal Data.exe
Resource
win10-en-20211208
General
-
Target
Personal Data/Personal Data.exe
-
Size
314KB
-
MD5
9057a26d250fa33e7366e7cb8480cf51
-
SHA1
f01e6154c079cf277c9c6f3c42a5c52e4e6a83de
-
SHA256
68253af6013d22553f3e87b8fd59dfade5c7f120b07ea679b041dcdcb845885a
-
SHA512
690dfa2f640dbc7c93933f5c8156234e364a67c5146b757dcd3ae0e3c3539a11a32e2eaf2ecd880c7edb17b9938ec5ba0c52d76ce339958e3b3ee5c966b1ba40
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Ladhnara\nirtbivaes.exe family_crimsonrat C:\ProgramData\Ladhnara\nirtbivaes.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
nirtbivaes.exepid process 1016 nirtbivaes.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Personal Data.exedescription ioc process File created C:\PROGRA~3\Ladhnara\nirtbivaes.exe Personal Data.exe File opened for modification C:\PROGRA~3\Ladhnara\nirtbivaes.exe Personal Data.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Personal Data.exedescription pid process target process PID 1624 wrote to memory of 1016 1624 Personal Data.exe nirtbivaes.exe PID 1624 wrote to memory of 1016 1624 Personal Data.exe nirtbivaes.exe PID 1624 wrote to memory of 1016 1624 Personal Data.exe nirtbivaes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Personal Data\Personal Data.exe"C:\Users\Admin\AppData\Local\Temp\Personal Data\Personal Data.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\ProgramData\Ladhnara\nirtbivaes.exe"C:\ProgramData\Ladhnara\nirtbivaes.exe"2⤵
- Executes dropped EXE
PID:1016
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8d42aaeaa6fc19c74b744ccf20e51150
SHA1e350b04dc8a3005649c8d54716b740c37d12dd53
SHA25647b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
SHA512818fb089c26750dea3f1ef5aafed065398fa0be2106e37bf5727e3c30868f9e5af71484c837371aaa09de4fbd36d345c2a813dd1f6e65cfff8ff01bebab80d19
-
MD5
8d42aaeaa6fc19c74b744ccf20e51150
SHA1e350b04dc8a3005649c8d54716b740c37d12dd53
SHA25647b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
SHA512818fb089c26750dea3f1ef5aafed065398fa0be2106e37bf5727e3c30868f9e5af71484c837371aaa09de4fbd36d345c2a813dd1f6e65cfff8ff01bebab80d19