Overview

overview

10

Static

static

11c45925b6...96.doc

windows7_x64

10

11c45925b6...96.doc

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    30-01-2022 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    11c45925b64777eaa401a6c0f6a6f847fb80e82d8da8fdfe1156d28663fd9396.doc

  • Size

    3.0MB

  • MD5

    d851a1c634cd8a63d9dcf0db5b84b200

  • SHA1

    3208d7bc352771507837e075586e83216cc61be5

  • SHA256

    11c45925b64777eaa401a6c0f6a6f847fb80e82d8da8fdfe1156d28663fd9396

  • SHA512

    12444b6ade5beb5f658ade2553013eac17a8e766bf210e3914b0393ab2252752c89ca3c33705008916895d8ad070f8c8279d63e3eedb2323354c6c1d0a8a9a06

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 23 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\11c45925b64777eaa401a6c0f6a6f847fb80e82d8da8fdfe1156d28663fd9396.doc" /o ""
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\ProgramData\Remdias\hringarma.exe
      C:\ProgramData\Remdias\hringarma.exe
      2⤵
      • Executes dropped EXE
      PID:3436
  • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:528

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-532-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-534-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-533-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/528-531-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3436-295-0x0000000003C20000-0x0000000003C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3572-115-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-259-0x0000016CE5530000-0x0000016CE5534000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3572-124-0x00007FF86F1F0000-0x00007FF86F200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-122-0x00007FF86F1F0000-0x00007FF86F200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-119-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-118-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-117-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3572-116-0x00007FF8726E0000-0x00007FF8726F0000-memory.dmp

    Filesize

    64KB

    Download