Analysis Overview
SHA256
e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024
Threat Level: Known bad
The file e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024 was found to be: Known bad.
Malicious Activity Summary
CrimsonRAT Main Payload
CrimsonRat
Executes dropped EXE
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-01-21 23:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-01-21 23:01
Reported
2022-01-21 23:14
Platform
win7-en-20211208
Max time kernel
132s
Max time network
163s
Command Line
Signatures
CrimsonRAT Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CrimsonRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~3\Hdlharas\dlrarhsiva.exe | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | N/A |
| File opened for modification | C:\PROGRA~3\Hdlharas\dlrarhsiva.exe | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2008 wrote to memory of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
| PID 2008 wrote to memory of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
| PID 2008 wrote to memory of 1552 | N/A | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
Network
| Country | Destination | Domain | Proto |
| FR | 185.136.161.124:6128 | tcp | |
| FR | 185.136.161.124:8761 | tcp |
Files
memory/2008-55-0x00000000002C0000-0x0000000000340000-memory.dmp
memory/2008-56-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp
memory/2008-57-0x00000000002C0000-0x0000000000340000-memory.dmp
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | b35ab8d47748801afa154144c2891dc4 |
| SHA1 | c2c356c1a6abd7858d9a143da35c7fadff9f8edb |
| SHA256 | 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c |
| SHA512 | a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45 |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | b35ab8d47748801afa154144c2891dc4 |
| SHA1 | c2c356c1a6abd7858d9a143da35c7fadff9f8edb |
| SHA256 | 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c |
| SHA512 | a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45 |
memory/1552-60-0x000007FEF29E0000-0x000007FEF3A76000-memory.dmp
memory/1552-61-0x0000000002870000-0x0000000002872000-memory.dmp
memory/1552-62-0x0000000002876000-0x0000000002895000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-01-21 23:01
Reported
2022-01-21 23:16
Platform
win10-en-20211208
Max time kernel
190s
Max time network
222s
Command Line
Signatures
CrimsonRAT Main Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
CrimsonRat
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Hdlharas\dlrarhsiva.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1332 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
| PID 1332 wrote to memory of 1900 | N/A | C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe | C:\ProgramData\Hdlharas\dlrarhsiva.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe
"C:\Users\Admin\AppData\Local\Temp\e2200fa8b8c4757039e3f78536d9442817331f530e4348e08f02af753e7ae024.exe"
C:\ProgramData\Hdlharas\dlrarhsiva.exe
"C:\ProgramData\Hdlharas\dlrarhsiva.exe"
Network
| Country | Destination | Domain | Proto |
| SE | 23.52.27.27:80 | tcp | |
| FR | 185.136.161.124:6128 | tcp |
Files
memory/1332-115-0x0000000000C40000-0x0000000000C42000-memory.dmp
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | b35ab8d47748801afa154144c2891dc4 |
| SHA1 | c2c356c1a6abd7858d9a143da35c7fadff9f8edb |
| SHA256 | 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c |
| SHA512 | a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45 |
C:\ProgramData\Hdlharas\dlrarhsiva.exe
| MD5 | b35ab8d47748801afa154144c2891dc4 |
| SHA1 | c2c356c1a6abd7858d9a143da35c7fadff9f8edb |
| SHA256 | 15c45d634c70f0604cfe30806320090c66a65d8f8a26303db3c9c15bf3cc950c |
| SHA512 | a89686b0e7bb0b7ab6281a69448cc050ce3fe6a5c56ec9f5f2869106b3e2560a84554463bb9bb277d7f6da5a90a9f07f8ab5369f793fbb21dab56d868ae1ed45 |
memory/1900-118-0x0000000002E90000-0x0000000002E92000-memory.dmp
memory/1900-119-0x0000000002E92000-0x0000000002E94000-memory.dmp