Overview

overview

10

Static

static

8

67da247110...1.xlam

windows7_x64

10

67da247110...1.xlam

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    159s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    67da24711012366322f2e6ab3534d62c064d24dc6e113b6077354c792cc56b71.xlam

  • Size

    112KB

  • MD5

    1b54bc52032731b5c75b9f74df7e1afe

  • SHA1

    cdddaf72deb956e039e5e8c10230d6c872a34e10

  • SHA256

    67da24711012366322f2e6ab3534d62c064d24dc6e113b6077354c792cc56b71

  • SHA512

    818961365b8dd76b7cdc90e2b00d9419e13de6e0797b9fb012a2b4bcaf4e5856376ebeb216ceb9afe810b34a4227e3222aea85ccc872f7ae013a5b98f46c54d3

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\67da24711012366322f2e6ab3534d62c064d24dc6e113b6077354c792cc56b71.xlam
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Users\Admin\Uthmdsa\pnvthirena.exe
      C:\Users\Admin\Uthmdsa\pnvthirena.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\ProgramData\Addobephot\hdlbvarims.exe
        "C:\ProgramData\Addobephot\hdlbvarims.exe"
        3⤵
        • Executes dropped EXE
        PID:772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Addobephot\hdlbvarims.exe
    MD5

    c410ef1f5b0ca137ffd993b3569fac88

    SHA1

    3b3ad0394f467aca9f81ba7c574b04dc63d5b8e9

    SHA256

    1259ddd540300dbec4d76b5909dad475fa56b3b1837b6c7097d9b42e28d3182c

    SHA512

    48002ffdaf42069aeeed1584af940c03205510c0f3e589962b9e54aaf95ecfe217df6f2c7ee66e2a23e9fa66f709d5ea428ece5403056d1f35e6f631776e66be

    Download Submit

  • C:\ProgramData\Addobephot\hdlbvarims.exe
    MD5

    c410ef1f5b0ca137ffd993b3569fac88

    SHA1

    3b3ad0394f467aca9f81ba7c574b04dc63d5b8e9

    SHA256

    1259ddd540300dbec4d76b5909dad475fa56b3b1837b6c7097d9b42e28d3182c

    SHA512

    48002ffdaf42069aeeed1584af940c03205510c0f3e589962b9e54aaf95ecfe217df6f2c7ee66e2a23e9fa66f709d5ea428ece5403056d1f35e6f631776e66be

    Download Submit

  • C:\Users\Admin\Uthmdsa\pnvthirena.exe
    MD5

    af866c374e012be282b3318931307751

    SHA1

    388a3c0773932e4a4471e0250eaef8c90b47685b

    SHA256

    950532180701f8ac033a8796238d7e5b6900bc2652f28e2a44645d3cdabdeded

    SHA512

    68e2adb4cbe0330ec2b260aaf1cb0861c31afffdf8c5cca75f8cc2996550f002256361f1dac873b48ebc0dbce4c536ee2c236eb54f4c58e2a4ac6e19a4998968

    Download Submit

  • C:\Users\Admin\Uthmdsa\pnvthirena.exe
    MD5

    af866c374e012be282b3318931307751

    SHA1

    388a3c0773932e4a4471e0250eaef8c90b47685b

    SHA256

    950532180701f8ac033a8796238d7e5b6900bc2652f28e2a44645d3cdabdeded

    SHA512

    68e2adb4cbe0330ec2b260aaf1cb0861c31afffdf8c5cca75f8cc2996550f002256361f1dac873b48ebc0dbce4c536ee2c236eb54f4c58e2a4ac6e19a4998968

    Download Submit

  • \Users\Admin\Uthmdsa\pnvthirena.exe
    MD5

    af866c374e012be282b3318931307751

    SHA1

    388a3c0773932e4a4471e0250eaef8c90b47685b

    SHA256

    950532180701f8ac033a8796238d7e5b6900bc2652f28e2a44645d3cdabdeded

    SHA512

    68e2adb4cbe0330ec2b260aaf1cb0861c31afffdf8c5cca75f8cc2996550f002256361f1dac873b48ebc0dbce4c536ee2c236eb54f4c58e2a4ac6e19a4998968

    Download Submit

  • memory/772-70-0x0000000000AB6000-0x0000000000AD5000-memory.dmp

    Filesize

    124KB

    Download

  • memory/772-69-0x00000000009B0000-0x0000000000AB2000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/772-68-0x000007FEF2E00000-0x000007FEF3E96000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1532-58-0x00000000003F0000-0x000000000051F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1532-62-0x0000000005E40000-0x0000000006A8A000-memory.dmp

    Filesize

    12.3MB

    Download

  • memory/1532-57-0x00000000003F0000-0x000000000051F000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1532-53-0x000000002FED1000-0x000000002FED4000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1532-56-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1532-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1532-54-0x0000000071BB1000-0x0000000071BB3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-63-0x0000000000B30000-0x0000000000B32000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1948-64-0x000007FEF2E00000-0x000007FEF3E96000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1948-65-0x0000000000B36000-0x0000000000B55000-memory.dmp

    Filesize

    124KB

    Download