crimsonrat | e881c562ad195b51c9800bc32e8f170db651a7a97a9b3cc1304e80661e156c9f

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-en-20211208
submitted
21-01-2022 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

scan0001/scan0001.exe
Size

289KB
MD5

2cd6db80e8dadce0c00f2417b6dedaf4
SHA1

488f62cab74c7754fe8736b0fe8c12c75065789e
SHA256

b9446d663f2aef34efdb579ae02e62923b5c3bc02b9d0fe537f5974ae439a422
SHA512

a5373990db293797347fe054333ba66dadc4eb8551515a9e67652219240f0cee3112969b3087df5a18e5fe9ccc525bfb7091356ecef293b4053b8f6a18646d63

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00060000000125b9-57.dat	family_crimsonrat
behavioral1/files/0x00060000000125b9-56.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

nirtbivaes.exe

pid	Process
276	nirtbivaes.exe

Drops file in Program Files directory 2 IoCs

Processes:

scan0001.exe

description	ioc	Process
File opened for modification	C:\PROGRA~3\Ladhnara\nirtbivaes.exe	scan0001.exe
File created	C:\PROGRA~3\Ladhnara\nirtbivaes.exe	scan0001.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

scan0001.exe

description	pid	Process	procid_target
PID 1684 wrote to memory of 276	1684	scan0001.exe	27
PID 1684 wrote to memory of 276	1684	scan0001.exe	27
PID 1684 wrote to memory of 276	1684	scan0001.exe	27

C:\Users\Admin\AppData\Local\Temp\scan0001\scan0001.exe
"C:\Users\Admin\AppData\Local\Temp\scan0001\scan0001.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1684
- C:\ProgramData\Ladhnara\nirtbivaes.exe
  "C:\ProgramData\Ladhnara\nirtbivaes.exe"
  2⤵
  - Executes dropped EXE
  PID:276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Ladhnara\nirtbivaes.exe

MD5
8d42aaeaa6fc19c74b744ccf20e51150

SHA1
e350b04dc8a3005649c8d54716b740c37d12dd53

SHA256
47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e

SHA512
818fb089c26750dea3f1ef5aafed065398fa0be2106e37bf5727e3c30868f9e5af71484c837371aaa09de4fbd36d345c2a813dd1f6e65cfff8ff01bebab80d19

Download Submit
C:\ProgramData\Ladhnara\nirtbivaes.exe

MD5
8d42aaeaa6fc19c74b744ccf20e51150

SHA1
e350b04dc8a3005649c8d54716b740c37d12dd53

SHA256
47b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e

SHA512
818fb089c26750dea3f1ef5aafed065398fa0be2106e37bf5727e3c30868f9e5af71484c837371aaa09de4fbd36d345c2a813dd1f6e65cfff8ff01bebab80d19

Download Submit
memory/276-59-0x0000000002800000-0x0000000002902000-memory.dmp

Filesize
1.0MB

Download
memory/276-58-0x000007FEEB0D0000-0x000007FEEC166000-memory.dmp

Filesize
16.6MB

Download
memory/276-60-0x0000000002906000-0x0000000002925000-memory.dmp

Filesize
124KB

Download
memory/1684-54-0x00000000010A0000-0x00000000010F0000-memory.dmp

Filesize
320KB

Download
memory/1684-55-0x000000001B0D0000-0x000000001B0D2000-memory.dmp

Filesize
8KB

Download