crimsonrat | 567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274

General

Target

567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe
Size

267KB
MD5

f6dab5861b5907b39004712c58bbfb04
SHA1

d5e8b77806150ba31efd82e05db7e678a3f52874
SHA256

567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274
SHA512

b2dfc9ee64521d25a19e2867cf3446e06bde9c65988ff3e2924d8a8eee76f4553ba0cdc9e953f848d3c6a8e96d0d57874cb0df6fc94dc2402425d4634109e16c
SSDEEP

3072:8Oym1KpUZdaR/HJaBOz2lnyHS29h5ueYQ:LymIIeHJLcGB

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

C2

209.127.16.126

Signatures

CrimsonRAT main payload 2 IoCs

Processes:

resource	yara_rule
C:\ProgramData\Hanthavra\rnthiavesa.exe	family_crimsonrat
C:\ProgramData\Hanthavra\rnthiavesa.exe	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe

Executes dropped EXE 1 IoCs

Processes:

rnthiavesa.exe

pid process

5040 rnthiavesa.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
5040	rnthiavesa.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3260 WINWORD.EXE
3260 WINWORD.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

WINWORD.EXE

pid	process
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE
3260	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe

description	pid	process	target process
PID 5100 wrote to memory of 3260	5100	567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe	WINWORD.EXE
PID 5100 wrote to memory of 3260	5100	567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe	WINWORD.EXE
PID 5100 wrote to memory of 5040	5100	567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe	rnthiavesa.exe
PID 5100 wrote to memory of 5040	5100	567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe	rnthiavesa.exe

C:\Users\Admin\AppData\Local\Temp\567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe
"C:\Users\Admin\AppData\Local\Temp\567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274-03-.docx" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3260
- C:\ProgramData\Hanthavra\rnthiavesa.exe
  "C:\ProgramData\Hanthavra\rnthiavesa.exe"
  2⤵
  - Executes dropped EXE
  PID:5040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hanthavra\rnthiavesa.exe

Filesize
9.6MB

MD5
93e588df26c62a47d3564e58ec988368

SHA1
fcd11555531f636245d4c03f151dceb62ba72f6e

SHA256
6cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc

SHA512
0f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef

Download Submit
C:\ProgramData\Hanthavra\rnthiavesa.exe

Filesize
9.6MB

MD5
93e588df26c62a47d3564e58ec988368

SHA1
fcd11555531f636245d4c03f151dceb62ba72f6e

SHA256
6cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc

SHA512
0f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef

Download Submit
C:\Users\Admin\Documents\567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274-03-.docx

Filesize
46KB

MD5
807aabe62a6ad47fe7eb5a25cdba1389

SHA1
a15f84ddf02e78767a0b04309ce218d25ac6bf54

SHA256
28952c0d58009a01c8f0b68b88f9a0945cfc8d7b2a5bd7a428dad0eab9fb97c8

SHA512
4c674d0eddf5ceda71fddfa529723bc6aed0b4113e36d5864ca0e21bd45ce9e8f2de0ada9421a64efbbf452d44012a326cb374c1734928eb1a3d100d919488b3

Download Submit
memory/3260-137-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-133-0x0000000000000000-mapping.dmp

Download
memory/3260-152-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-138-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-139-0x00007FFB49200000-0x00007FFB49210000-memory.dmp

Filesize
64KB

Download
memory/3260-140-0x00007FFB49200000-0x00007FFB49210000-memory.dmp

Filesize
64KB

Download
memory/3260-151-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-135-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-134-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-136-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-150-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/3260-149-0x00007FFB4B6D0000-0x00007FFB4B6E0000-memory.dmp

Filesize
64KB

Download
memory/5040-147-0x00007FFB5DAB0000-0x00007FFB5E571000-memory.dmp

Filesize
10.8MB

Download
memory/5040-146-0x00007FFB5DAB0000-0x00007FFB5E571000-memory.dmp

Filesize
10.8MB

Download
memory/5040-145-0x00000213B91B0000-0x00000213B9B5A000-memory.dmp

Filesize
9.7MB

Download
memory/5040-141-0x0000000000000000-mapping.dmp

Download
memory/5100-132-0x00007FFB6B0D0000-0x00007FFB6BB06000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads