Analysis
-
max time kernel
122s -
max time network
146s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 22:57
Static task
static1
Behavioral task
behavioral1
Sample
MoI Operation/MoI Operation.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
MoI Operation/MoI Operation.exe
Resource
win10-en-20211208
General
-
Target
MoI Operation/MoI Operation.exe
-
Size
309KB
-
MD5
2a2088cc646b984cb3d75d18c8708eb5
-
SHA1
20ceef8731d905794c8d7a14f4ecf9fb5aa29e28
-
SHA256
5a449782c6d286a5af7fd5cbab5d5d46dd4dd153cbc46e4aeae0ea54f2785980
-
SHA512
cc23d711d756ca322786d0327b017af5e457b2ac144a03cdff9456164bd58e5dfa0b5ac6df02c9a3d7036cd82a29278eed055357e7080797673aaed95886de1d
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Ladhnara\nirtbivaes.exe family_crimsonrat C:\ProgramData\Ladhnara\nirtbivaes.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
nirtbivaes.exepid process 292 nirtbivaes.exe -
Drops file in Program Files directory 2 IoCs
Processes:
MoI Operation.exedescription ioc process File opened for modification C:\PROGRA~3\Ladhnara\nirtbivaes.exe MoI Operation.exe File created C:\PROGRA~3\Ladhnara\nirtbivaes.exe MoI Operation.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
MoI Operation.exedescription pid process target process PID 1368 wrote to memory of 292 1368 MoI Operation.exe nirtbivaes.exe PID 1368 wrote to memory of 292 1368 MoI Operation.exe nirtbivaes.exe PID 1368 wrote to memory of 292 1368 MoI Operation.exe nirtbivaes.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\MoI Operation\MoI Operation.exe"C:\Users\Admin\AppData\Local\Temp\MoI Operation\MoI Operation.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\ProgramData\Ladhnara\nirtbivaes.exe"C:\ProgramData\Ladhnara\nirtbivaes.exe"2⤵
- Executes dropped EXE
PID:292
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8d42aaeaa6fc19c74b744ccf20e51150
SHA1e350b04dc8a3005649c8d54716b740c37d12dd53
SHA25647b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
SHA512818fb089c26750dea3f1ef5aafed065398fa0be2106e37bf5727e3c30868f9e5af71484c837371aaa09de4fbd36d345c2a813dd1f6e65cfff8ff01bebab80d19
-
MD5
8d42aaeaa6fc19c74b744ccf20e51150
SHA1e350b04dc8a3005649c8d54716b740c37d12dd53
SHA25647b99e50430e9abad7326d1837ecdda5f995112b0b12406d23df5ef603d52a4e
SHA512818fb089c26750dea3f1ef5aafed065398fa0be2106e37bf5727e3c30868f9e5af71484c837371aaa09de4fbd36d345c2a813dd1f6e65cfff8ff01bebab80d19