Overview

overview

10

Static

static

477147271a...79.exe

windows7_x64

10

477147271a...79.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    144s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    18-04-2022 08:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    477147271a54e32ef184030393f17c30d68d4aeb8bd6202a225e354f1800b279.exe

  • Size

    220KB

  • MD5

    3829791a486b0b9ccb80ffcb7177c19c

  • SHA1

    63b775ca11d595d65b8dfa4215823e7cb98c55af

  • SHA256

    477147271a54e32ef184030393f17c30d68d4aeb8bd6202a225e354f1800b279

  • SHA512

    f1d6950caf18ae7b3f68c6cecded468a706a08ec6a33d6ea29d21f6d120badcb020ae89a3c0be2fadd64424cc931724dbda3b0bd0c4b23f161ab86bde57b4d66

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\477147271a54e32ef184030393f17c30d68d4aeb8bd6202a225e354f1800b279.exe
    "C:\Users\Admin\AppData\Local\Temp\477147271a54e32ef184030393f17c30d68d4aeb8bd6202a225e354f1800b279.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\ProgramData\Paints\athvindaur.exe
      "C:\ProgramData\Paints\athvindaur.exe"
      2⤵
      • Executes dropped EXE
      PID:3320

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Paints\athvindaur.exe
    Filesize

    10.5MB

    MD5

    9ffd75516536c9e9f0e6a4cbefe24dcb

    SHA1

    5037f1297c44da969bbe30f3139a79933ae9a371

    SHA256

    6514d2900609c10b2abd5fec18f8938f88a050cde56f51633b93bd0fa6d1b1df

    SHA512

    ac678c0d96e02aac671a5290a5d28d3be7679999974d467f998e06ca1008779b8c78302bcb858b7c6e0f81fd4a07922d1bde32088f1c3c906696aa66486ec709

    Download Submit

  • C:\ProgramData\Paints\athvindaur.exe
    Filesize

    10.5MB

    MD5

    9ffd75516536c9e9f0e6a4cbefe24dcb

    SHA1

    5037f1297c44da969bbe30f3139a79933ae9a371

    SHA256

    6514d2900609c10b2abd5fec18f8938f88a050cde56f51633b93bd0fa6d1b1df

    SHA512

    ac678c0d96e02aac671a5290a5d28d3be7679999974d467f998e06ca1008779b8c78302bcb858b7c6e0f81fd4a07922d1bde32088f1c3c906696aa66486ec709

    Download Submit

  • memory/2212-130-0x0000000001370000-0x0000000001372000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2212-131-0x0000000001372000-0x0000000001374000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3320-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3320-135-0x00000163B9560000-0x00000163B9FEE000-memory.dmp

    Filesize

    10.6MB

    Download

  • memory/3320-136-0x00007FFAB83D0000-0x00007FFAB8E91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3320-137-0x00000163D4410000-0x00000163D4412000-memory.dmp

    Filesize

    8KB

    Download