Analysis
-
max time kernel
137s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-04-2022 04:18
Static task
static1
Behavioral task
behavioral1
Sample
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
Resource
win10v2004-20220414-en
General
-
Target
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe
-
Size
59KB
-
MD5
04f60dd495708663a410f38db90a5592
-
SHA1
b2a517f140c0064dd7384c0aeee0c0471bcad126
-
SHA256
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e
-
SHA512
5058fed79826dc45acd7f77cfd3c080dbd708ddcda565c41d8c9e38bcd5aca9551b426abfe6033301833dd7f98783ff0d8da14b514e820de780295758376ecdc
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x00060000000231bd-132.dat family_crimsonrat behavioral2/files/0x00060000000231bd-133.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
ithmrdrvas.exepid Process 1836 ithmrdrvas.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation 4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exedescription pid Process procid_target PID 3660 wrote to memory of 1836 3660 4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe 86 PID 3660 wrote to memory of 1836 3660 4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe"C:\Users\Admin\AppData\Local\Temp\4075ae09b2cad5580286fb104acdbc0bfff1168e1f49057049807af7ec11957e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\ProgramData\Dhonvdh\ithmrdrvas.exe"C:\ProgramData\Dhonvdh\ithmrdrvas.exe"2⤵
- Executes dropped EXE
PID:1836
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.3MB
MD58930f5a56afe4a9f02c01c6c6b647da0
SHA1b1000f35e9150d59b0849a662d35f69e67294a51
SHA25609aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d
SHA51205ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc
-
Filesize
9.3MB
MD58930f5a56afe4a9f02c01c6c6b647da0
SHA1b1000f35e9150d59b0849a662d35f69e67294a51
SHA25609aaf5e962480a6412c5523f6705489e5aee2f2bd3e42491074b903d0f5d3d3d
SHA51205ed5347ffd7bfd1692d7f61f1a051d9377710abdd366ef05ca399566d01cb3bb4065a0693f85ca1e5455452ce3cda2a795f73f259ba3158492f2fb62165b1dc