crimsonrat | f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2023 07:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea.docm
Size

129KB
MD5

d6cf93b031f2e3b8758c41f5ce665a1f
SHA1

dd3040f2b246bf729de40573721442d8efd4e070
SHA256

f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea
SHA512

1e118d5bf9c18286c7005670d3212f042d32e18004d7e5b7840380490df2fe73e3e59dcabbd6cf90e1d95357e548a3f3aee05cff895af93415e0bc69e00d3680
SSDEEP

3072:FyZLYyIKIfKTzY+J4WRyasXGcSOv+zb4coB168mOKIGuH+dyRwKyR7Ep:FMLNWK/Y24WK2cbv+ol03K+qwHY

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

172.245.80.12

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

jedvmtrvh.exe

pid process

2156 jedvmtrvh.exe

pid	process
2156	jedvmtrvh.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\Ms Word_36\docks.zip\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE
2044 WINWORD.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE
2044 WINWORD.EXE
2044 WINWORD.EXE
2044 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\Ms Word_36\docks.zip\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXE

pid	process
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE
2044	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 2044 wrote to memory of 2156	2044	WINWORD.EXE	jedvmtrvh.exe
PID 2044 wrote to memory of 2156	2044	WINWORD.EXE	jedvmtrvh.exe

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\Ms Word_36\jedvmtrvh.exe
  "C:\Users\Admin\Ms Word_36\jedvmtrvh.exe"
  2⤵
  - Executes dropped EXE
  PID:2156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
347B

MD5
45e0ebd72fa99e04b89581f98e5ea45a

SHA1
69f7350266a3b2d6f44b8e0db4289ae6d291ab35

SHA256
6de115ceb9fa9bb9c1f4f825cc5872b618674ad9d92c712cfdfc066975eaadd7

SHA512
98c0c5325c76e8f77f377b6fc6c1f9a5589179d2d64e3d35e16836e35eae55e938b6fa50daf1aaadd19f408a9b3b1529cad0c1156ada6b228f6e181948450ff2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Documents\f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea.docm.docx

Filesize
20KB

MD5
cd7c56daa6b18500aaff80cbe9569d67

SHA1
82152bfacfc4262eed634a46a727eb7b26dcf50b

SHA256
4f5b450af343d4405de13d65a3be4001df383dd7a82e66d36c7d18f9c93b2dbd

SHA512
c59d77260578d46baa56635caf810d82118942479c791604926ca455d71d496afe62c7e9bd53a37a929996237d54c61c0c359b1b37aa44851d6cc500ba3a1717

Download Submit
C:\Users\Admin\Ms Word_36\docks.zip

Filesize
129KB

MD5
d6cf93b031f2e3b8758c41f5ce665a1f

SHA1
dd3040f2b246bf729de40573721442d8efd4e070

SHA256
f77205a9238a123b74b764be6e2132777e1f3eda9c515f31219387c45629e3ea

SHA512
1e118d5bf9c18286c7005670d3212f042d32e18004d7e5b7840380490df2fe73e3e59dcabbd6cf90e1d95357e548a3f3aee05cff895af93415e0bc69e00d3680

Download Submit
C:\Users\Admin\Ms Word_36\docks.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Ms Word_36\jedvmtrvh.exe

Filesize
13.0MB

MD5
74f805b67565709940e952b40c8ce37c

SHA1
4a97ee5dfc22175453470f4ad5dd990e60867ea7

SHA256
86f6738c27ca4195813ec1b84d70eaad00670ae043158885cf7a68ad6ba924b1

SHA512
a5dd03e0d6a53c78ab9296f4997910713a2a3c4c883f78201a7378e3dacd0aad450668c37cdafd8543bfe28d5a77e3e51a43fbd2a51748d3d4b3c53effd436a9

Download Submit
C:\Users\Admin\Ms Word_36\jedvmtrvh.exe

Filesize
13.0MB

MD5
74f805b67565709940e952b40c8ce37c

SHA1
4a97ee5dfc22175453470f4ad5dd990e60867ea7

SHA256
86f6738c27ca4195813ec1b84d70eaad00670ae043158885cf7a68ad6ba924b1

SHA512
a5dd03e0d6a53c78ab9296f4997910713a2a3c4c883f78201a7378e3dacd0aad450668c37cdafd8543bfe28d5a77e3e51a43fbd2a51748d3d4b3c53effd436a9

Download Submit
C:\Users\Admin\Ms Word_36\jedvmtrvh.exe

Filesize
13.0MB

MD5
74f805b67565709940e952b40c8ce37c

SHA1
4a97ee5dfc22175453470f4ad5dd990e60867ea7

SHA256
86f6738c27ca4195813ec1b84d70eaad00670ae043158885cf7a68ad6ba924b1

SHA512
a5dd03e0d6a53c78ab9296f4997910713a2a3c4c883f78201a7378e3dacd0aad450668c37cdafd8543bfe28d5a77e3e51a43fbd2a51748d3d4b3c53effd436a9

Download Submit
C:\Users\Admin\Ms Word_36\word\jedvmtrvh.zip

Filesize
255KB

MD5
c7026aa76880ff7e889deaf6e2b416b1

SHA1
23c5c5d462edc2e0bc3b920dd34c1c30c793cc54

SHA256
da757853f4940996087b6755dd65eba3c9c5bdce29deebf5ded92e752ab6896c

SHA512
ee477813db63842307a8e45c00a6cd2a378feb3fa26d425703e8a3b839be365db05dd64aba47ccc709232f9f50fd87685c30ba038d0d7145a75f6241cbadc74e

Download Submit
memory/2044-139-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/2044-138-0x00007FFAE71F0000-0x00007FFAE7200000-memory.dmp

Filesize
64KB

Download
memory/2044-137-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-133-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-136-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-134-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2044-135-0x00007FFAE9A50000-0x00007FFAE9A60000-memory.dmp

Filesize
64KB

Download
memory/2156-562-0x0000021B1C040000-0x0000021B1CD48000-memory.dmp

Filesize
13.0MB

Download
memory/2156-576-0x0000021B37290000-0x0000021B372A0000-memory.dmp

Filesize
64KB

Download
memory/2156-600-0x0000021B37290000-0x0000021B372A0000-memory.dmp

Filesize
64KB

Download