crimsonrat | e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024

Analysis

max time kernel
190s
max time network
222s
platform
windows10_x64
resource
win10-en-20211208
submitted
21-01-2022 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
Size

83KB
MD5

4663018621abd6313f9edb03c0737517
SHA1

a9dd4c0303b261344d469362bd80c4e366e79692
SHA256

e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024
SHA512

64d44f463b2d855c17b495ec056998b6f522f5078743621322f1cb574acf2ead445b0fe0f853a420941dfae2c09f5965ea383e48af74479d9c6c5a14c44a8f55

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT Main Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000700000001ab46-116.dat	family_crimsonrat
behavioral2/files/0x000700000001ab46-117.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

pid	Process
1900	dlrarhsiva.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 1900	1332	e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe	71
PID 1332 wrote to memory of 1900	1332	e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe	71

C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1332
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1332-115-0x0000000000C40000-0x0000000000C42000-memory.dmp

Filesize
8KB

Download
memory/1900-118-0x0000000002E90000-0x0000000002E92000-memory.dmp

Filesize
8KB

Download
memory/1900-119-0x0000000002E92000-0x0000000002E94000-memory.dmp

Filesize
8KB

Download