Analysis

  • max time kernel
    137s
  • max time network
    163s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-04-2022 04:18

General

  • Target

    4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe

  • Size

    59KB

  • MD5

    04f60dd495708663a410f38db90a5592

  • SHA1

    b2a517f140c0064dd7384c0aeee0c0471bcad126

  • SHA256

    4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e

  • SHA512

    5058fed79826dc45acd7f77cfd3c080dbd708ddcda565c41d8c9e38bcd5aca9551b426abfe6033301833dd7f98783ff0d8da14b514e820de780295758376ecdc

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
    "C:\Users\Admin\AppData\Local\Temp\4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3660
    • C:\ProgramData\Dhonvdh\ithmrdrvas.exe
      "C:\ProgramData\Dhonvdh\ithmrdrvas.exe"
      2⤵
      • Executes dropped EXE
      PID:1836

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Dhonvdh\ithmrdrvas.exe

    Filesize

    9.3MB

    MD5

    8930f5a56afe4a9f02c01c6c6b647da0

    SHA1

    b1000f35e9150d59b0849a662d35f69e67294a51

    SHA256

    09aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d

    SHA512

    05ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc

  • C:\ProgramData\Dhonvdh\ithmrdrvas.exe

    Filesize

    9.3MB

    MD5

    8930f5a56afe4a9f02c01c6c6b647da0

    SHA1

    b1000f35e9150d59b0849a662d35f69e67294a51

    SHA256

    09aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d

    SHA512

    05ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc

  • memory/1836-131-0x0000000000000000-mapping.dmp

  • memory/1836-134-0x0000000001550000-0x0000000001560000-memory.dmp

    Filesize

    64KB

  • memory/1836-136-0x0000000001550000-0x0000000001560000-memory.dmp

    Filesize

    64KB

  • memory/3660-130-0x0000000000EE0000-0x0000000000EE2000-memory.dmp

    Filesize

    8KB

  • memory/3660-135-0x0000000000EE2000-0x0000000000EE4000-memory.dmp

    Filesize

    8KB