Overview

overview

10

Static

static

6257ab2654...e0.exe

windows7_x64

10

6257ab2654...e0.exe

windows10-2004_x64

1

Analysis

  • max time kernel
    4294216s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20220311-en
  • submitted
    25-03-2022 22:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0.exe

  • Size

    270KB

  • MD5

    db12a808823a93d95a2eb9719e0e5122

  • SHA1

    5e2dcbddfd28c41bc6da89c3bbf1a9ac20b1080b

  • SHA256

    6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0

  • SHA512

    9817834daf4021b2510950ec1db6f9f905d122e1453ea170e9b9ef3c79c3871afcecfa6fd0a7937815c84a187250beca6102ef4d81a77ddff931a527407c4262

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 9 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0.exe
    "C:\Users\Admin\AppData\Local\Temp\6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1152
    • C:\ProgramData\Gthrentl\valthasrvin.exe
      "C:\ProgramData\Gthrentl\valthasrvin.exe"
      2⤵
      • Executes dropped EXE
      PID:1624
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\6257ab26547f390bfd67d60766a708a95998452eb487d6d7208a52dc3e9840e0-02 .doc"
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1180

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1152-54-0x000007FEEF150000-0x000007FEF01E6000-memory.dmp

    Filesize

    16.6MB

    Download

  • memory/1152-55-0x0000000000B10000-0x0000000000B12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1152-56-0x0000000000B16000-0x0000000000B35000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1180-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1180-64-0x0000000073011000-0x0000000073014000-memory.dmp

    Filesize

    12KB

    Download

  • memory/1180-65-0x0000000070A91000-0x0000000070A93000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1180-67-0x0000000076AC1000-0x0000000076AC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1180-68-0x0000000071A7D000-0x0000000071A88000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1624-61-0x0000000000A10000-0x0000000000A12000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1624-62-0x0000000000A16000-0x0000000000A35000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1624-60-0x000007FEEF150000-0x000007FEF01E6000-memory.dmp

    Filesize

    16.6MB

    Download