Overview

overview

10

Static

static

02fddfee49...8b.exe

windows7_x64

10

02fddfee49...8b.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    161s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 16:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe

  • Size

    1.1MB

  • MD5

    7d61ca46b50982c962c63ee96547cae5

  • SHA1

    c36c1533a67aae67fa9dd1c6ffe14609e40ccba7

  • SHA256

    02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b

  • SHA512

    19295c894765f183ab8a31496dc3e563431cbe37cb159cd84bcc6e1859a3d14727377189456317d24751e9447eec27a19cb7d274732389f17215f070fab41651

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe
    "C:\Users\Admin\AppData\Local\Temp\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3832
    • C:\ProgramData\Dathlas\udhgariwe.exe
      "C:\ProgramData\Dathlas\udhgariwe.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3372
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\02fddfee4928270827be0b6be617661543eb59f4a0807047eacc05c8507d188b_3 .docx" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/384-124-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-125-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-126-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-127-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-128-0x00007FF909EF0000-0x00007FF909F00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-131-0x00007FF906CA0000-0x00007FF906CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-132-0x00007FF906CA0000-0x00007FF906CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3372-122-0x000002C7D4200000-0x000002C7D4BA8000-memory.dmp

    Filesize

    9.7MB

    Download

  • memory/3372-123-0x000002C7EF0E0000-0x000002C7EF0E2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3832-118-0x0000000002730000-0x0000000002732000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3832-119-0x0000000002732000-0x0000000002734000-memory.dmp

    Filesize

    8KB

    Download