Analysis
-
max time kernel
190s -
max time network
222s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:01
Static task
static1
Behavioral task
behavioral1
Sample
e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
Resource
win10-en-20211208
General
-
Target
e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
-
Size
83KB
-
MD5
4663018621abd6313f9edb03c0737517
-
SHA1
a9dd4c0303b261344d469362bd80c4e366e79692
-
SHA256
e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024
-
SHA512
64d44f463b2d855c17b495ec056998b6f522f5078743621322f1cb574acf2ead445b0fe0f853a420941dfae2c09f5965ea383e48af74479d9c6c5a14c44a8f55
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hdlharas\dlrarhsiva.exe family_crimsonrat C:\ProgramData\Hdlharas\dlrarhsiva.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
dlrarhsiva.exepid process 1900 dlrarhsiva.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exedescription pid process target process PID 1332 wrote to memory of 1900 1332 e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe dlrarhsiva.exe PID 1332 wrote to memory of 1900 1332 e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe dlrarhsiva.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\ProgramData\Hdlharas\dlrarhsiva.exe"C:\ProgramData\Hdlharas\dlrarhsiva.exe"2⤵
- Executes dropped EXE
PID:1900
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b35ab8d47748801afa154144c2891dc4
SHA1c2c356c1a6abd7858d9a143da35c7fadff9f8edb
SHA25615c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
SHA512a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45
-
MD5
b35ab8d47748801afa154144c2891dc4
SHA1c2c356c1a6abd7858d9a143da35c7fadff9f8edb
SHA25615c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c
SHA512a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45