crimsonrat | e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f

General

Target

e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe
Size

269KB
MD5

336848d6de6faa8e8d737570046b0321
SHA1

84c33015a30fcfe38faa294820782c1f2f68da06
SHA256

e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f
SHA512

85196ede8187b9f8711547fc1fc5f497edd8c9083d29b23ce2d2ac18a83fdc81cde2a38e9fb98de89e927cc016c04db9457dff14255679b5ed047a18d7334cfe

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT Main Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000500000001ab19-130.dat	family_crimsonrat
behavioral2/files/0x000500000001ab19-131.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

rnthiavesa.exe

pid	Process
2556	rnthiavesa.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings	e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
3584	WINWORD.EXE
3584	WINWORD.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid	Process
3584	WINWORD.EXE
3584	WINWORD.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

WINWORD.EXE

pid	Process
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE
3584	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe

description	pid	Process	procid_target
PID 3348 wrote to memory of 3584	3348	e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe	69
PID 3348 wrote to memory of 3584	3348	e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe	69
PID 3348 wrote to memory of 2556	3348	e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe	70
PID 3348 wrote to memory of 2556	3348	e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe	70

C:\Users\Admin\AppData\Local\Temp\e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe
"C:\Users\Admin\AppData\Local\Temp\e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f-03-.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3584
- C:\ProgramData\Hanthavra\rnthiavesa.exe
  "C:\ProgramData\Hanthavra\rnthiavesa.exe"
  2⤵
  - Executes dropped EXE
  PID:2556

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hanthavra\rnthiavesa.exe

MD5
93e588df26c62a47d3564e58ec988368

SHA1
fcd11555531f636245d4c03f151dceb62ba72f6e

SHA256
6cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc

SHA512
0f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef

Download Submit
C:\ProgramData\Hanthavra\rnthiavesa.exe

MD5
93e588df26c62a47d3564e58ec988368

SHA1
fcd11555531f636245d4c03f151dceb62ba72f6e

SHA256
6cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc

SHA512
0f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef

Download Submit
C:\Users\Admin\Documents\e7dbf1eacfbd73576b0e410099898e4c7e2d51d76fe3095314dee1b54860bf4f-03-.docx

MD5
498aba93d84770619caa1029cde79bf7

SHA1
63c5f8f5ac49040d8a2d19e41a0c499076881112

SHA256
994dddf45424b2ec72cf186de56f9190a643718bc5c3006465b1bd958a6eb5e8

SHA512
1de8c8e20cc4a88da9441339454a9370d4453853dc3969a02ec8f2477596419ebe2e06ba6b39dacb05eeb85b0ed19e4e93473af31b4bd97adf2bbd53f4c823e7

Download Submit
memory/2556-132-0x00000232C3410000-0x00000232C3DBA000-memory.dmp

Filesize
9.7MB

Download
memory/2556-146-0x00000232DE3D0000-0x00000232DE3D2000-memory.dmp

Filesize
8KB

Download
memory/3348-118-0x0000000002740000-0x0000000002742000-memory.dmp

Filesize
8KB

Download
memory/3584-120-0x00007FF893410000-0x00007FF893420000-memory.dmp

Filesize
64KB

Download
memory/3584-121-0x00007FF893410000-0x00007FF893420000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads