crimsonrat | 02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b

General

Target

02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe
Size

1.1MB
MD5

7d61ca46b50982c962c63ee96547cae5
SHA1

c36c1533a67aae67fa9dd1c6ffe14609e40ccba7
SHA256

02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b
SHA512

19295c894765f183ab8a31496dc3e563431cbe37cb159cd84bcc6e1859a3d14727377189456317d24751e9447eec27a19cb7d274732389f17215f070fab41651

Score

10^/10

crimsonrat rat

Malware Config

Signatures

CrimsonRAT Main Payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Dathlas\udhgariwe.exe	family_crimsonrat
C:\ProgramData\Dathlas\udhgariwe.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

udhgariwe.exe

pid process

3372 udhgariwe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
3372	udhgariwe.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

384 WINWORD.EXE
384 WINWORD.EXE
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

udhgariwe.exe

description pid process

Token: SeDebugPrivilege 3372 udhgariwe.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

WINWORD.EXE

pid process

384 WINWORD.EXE
384 WINWORD.EXE
384 WINWORD.EXE
384 WINWORD.EXE
384 WINWORD.EXE
384 WINWORD.EXE
384 WINWORD.EXE

pid	process
384	WINWORD.EXE
384	WINWORD.EXE

description	pid	process
Token: SeDebugPrivilege	3372	udhgariwe.exe

pid	process
384	WINWORD.EXE
384	WINWORD.EXE
384	WINWORD.EXE
384	WINWORD.EXE
384	WINWORD.EXE
384	WINWORD.EXE
384	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe

description	pid	process	target process
PID 3832 wrote to memory of 3372	3832	02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe	udhgariwe.exe
PID 3832 wrote to memory of 3372	3832	02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe	udhgariwe.exe
PID 3832 wrote to memory of 384	3832	02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe	WINWORD.EXE
PID 3832 wrote to memory of 384	3832	02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe	WINWORD.EXE

C:\Users\Admin\AppData\Local\Temp\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe
"C:\Users\Admin\AppData\Local\Temp\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832
- C:\ProgramData\Dathlas\udhgariwe.exe
  "C:\ProgramData\Dathlas\udhgariwe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3372
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b_3 .docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dathlas\udhgariwe.exe

MD5
bf8da04d750717d39c246952924b885e

SHA1
bf0997899b37785953e43c26969c87b478e0a404

SHA256
d804c4919d30bc41026558cd005e7fea8ab2527c1df29f6dbf2691d3928cdfc8

SHA512
1927bd7e7bc9c3e4f8f9a1b78df53986001d7175ebe9e724c45b0944945b9a726eb13e52dcdfe8fef0157fb9539876d419e2ceb712d54a3efdc24fc2cf29e9b9

Download Submit
C:\ProgramData\Dathlas\udhgariwe.exe

MD5
bf8da04d750717d39c246952924b885e

SHA1
bf0997899b37785953e43c26969c87b478e0a404

SHA256
d804c4919d30bc41026558cd005e7fea8ab2527c1df29f6dbf2691d3928cdfc8

SHA512
1927bd7e7bc9c3e4f8f9a1b78df53986001d7175ebe9e724c45b0944945b9a726eb13e52dcdfe8fef0157fb9539876d419e2ceb712d54a3efdc24fc2cf29e9b9

Download Submit
C:\Users\Admin\Documents\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b_3 .docx

MD5
80c0ce3a94d0f42db3fd3988fb8f871a

SHA1
975e10aec0c6deb523982ebd4ed56c9caff6791a

SHA256
67af683e3a2e535694cb6dd2e90fc0a5bacc686c5a99aad342297c5fffd2f265

SHA512
aadb8a9ceedb1c74cfdc1b2c31e6769c2a9965617286765ee793702710bc56d865173b8dae2e3fd4e93a24e891997af3269dbe335788b4fef5b4bfd4017a30d7

Download Submit
memory/384-124-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/384-125-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/384-126-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/384-127-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/384-128-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

Filesize
64KB

Download
memory/384-131-0x00007FF906CA0000-0x00007FF906CB0000-memory.dmp

Filesize
64KB

Download
memory/384-132-0x00007FF906CA0000-0x00007FF906CB0000-memory.dmp

Filesize
64KB

Download
memory/3372-122-0x000002C7D4200000-0x000002C7D4BA8000-memory.dmp

Filesize
9.7MB

Download
memory/3372-123-0x000002C7EF0E0000-0x000002C7EF0E2000-memory.dmp

Filesize
8KB

Download
memory/3832-118-0x0000000002730000-0x0000000002732000-memory.dmp

Filesize
8KB

Download
memory/3832-119-0x0000000002732000-0x0000000002734000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads