Analysis Overview
SHA256
e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584
Threat Level: Known bad
The file e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584 was found to be: Known bad.
Malicious Activity Summary
CrimsonRAT Main Payload
CrimsonRat
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-21 22:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 22:57
Reported
2022-01-21 23:26
Platform
win7-en-20211208
Max time kernel
124s
Max time network
145s
Command Line
Signatures
CrimsonRAT Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CrimsonRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Detharis\dhrwarhsav.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Detharis\dhrwarhsav.exe | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | N/A |
| File opened for modification | C:\PROGRA~3\Detharis\dhrwarhsav.exe | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1116 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | C:\ProgramData\Detharis\dhrwarhsav.exe |
| PID 1116 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | C:\ProgramData\Detharis\dhrwarhsav.exe |
| PID 1116 wrote to memory of 1804 | N/A | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | C:\ProgramData\Detharis\dhrwarhsav.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe
"C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe"
C:\ProgramData\Detharis\dhrwarhsav.exe
"C:\ProgramData\Detharis\dhrwarhsav.exe"
Network
| Country | Destination | Domain | Proto |
| US | 107.175.64.209:6728 | tcp | |
| US | 107.175.64.209:8661 | tcp |
Files
memory/1116-55-0x0000000000590000-0x0000000000592000-memory.dmp
memory/1116-56-0x000007FEF2A50000-0x000007FEF3AE6000-memory.dmp
memory/1116-57-0x0000000000596000-0x00000000005B5000-memory.dmp
C:\ProgramData\Detharis\dhrwarhsav.exe
| MD5 | e0db666fff1c8ac20106aa04b20b7b2e |
| SHA1 | 9ff84c539401626a0fa95cef4e448e7675785a20 |
| SHA256 | c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080 |
| SHA512 | cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67 |
C:\ProgramData\Detharis\dhrwarhsav.exe
| MD5 | e0db666fff1c8ac20106aa04b20b7b2e |
| SHA1 | 9ff84c539401626a0fa95cef4e448e7675785a20 |
| SHA256 | c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080 |
| SHA512 | cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67 |
memory/1804-60-0x000007FEF2A50000-0x000007FEF3AE6000-memory.dmp
memory/1804-62-0x0000000000B46000-0x0000000000B65000-memory.dmp
memory/1804-61-0x0000000000B40000-0x0000000000B42000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-21 22:57
Reported
2022-01-21 23:26
Platform
win10-en-20211208
Max time kernel
165s
Max time network
186s
Command Line
Signatures
CrimsonRAT Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CrimsonRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Detharis\dhrwarhsav.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2628 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | C:\ProgramData\Detharis\dhrwarhsav.exe |
| PID 2628 wrote to memory of 1716 | N/A | C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe | C:\ProgramData\Detharis\dhrwarhsav.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe
"C:\Users\Admin\AppData\Local\Temp\e63cd1c60fd8d9f2ab6714f371958621f9d500bb09ba3569d0435f8f38960584.exe"
C:\ProgramData\Detharis\dhrwarhsav.exe
"C:\ProgramData\Detharis\dhrwarhsav.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| US | 72.21.91.29:80 | tcp | |
| US | 20.189.173.1:443 | tcp | |
| US | 107.175.64.209:6728 | tcp |
Files
memory/2628-115-0x0000000002750000-0x0000000002752000-memory.dmp
C:\ProgramData\Detharis\dhrwarhsav.exe
| MD5 | e0db666fff1c8ac20106aa04b20b7b2e |
| SHA1 | 9ff84c539401626a0fa95cef4e448e7675785a20 |
| SHA256 | c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080 |
| SHA512 | cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67 |
C:\ProgramData\Detharis\dhrwarhsav.exe
| MD5 | e0db666fff1c8ac20106aa04b20b7b2e |
| SHA1 | 9ff84c539401626a0fa95cef4e448e7675785a20 |
| SHA256 | c22c8d74daac7596b4816de5b7549927a01f65669aed7f52e382d151deb76080 |
| SHA512 | cac85784d1c46c89e9871e6ae011573b09328b98a6ef85ebc4f73bab3ae5e0ed88d7d13167d466805c3bbf5eb505a239395a06e689c10ca8808a2472b4630e67 |
memory/1716-119-0x0000000003080000-0x0000000003082000-memory.dmp
memory/2628-120-0x0000000002752000-0x0000000002754000-memory.dmp
memory/1716-122-0x0000000003082000-0x0000000003084000-memory.dmp