crimsonrat | d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33

General

Target

d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33.docm
Size

153KB
MD5

44c494a30f83f92295c8351b86a2507a
SHA1

72b49464d5ff0e6aa85fc94284ffc75a546c8c8c
SHA256

d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33
SHA512

7b3f4bff12267827f9da31b6a1002bc272a64de2def2109a997d69d009555bd97410625f773ed92283477e2ca1f42a71af7e3c4e943ced6b509349e868871ccc
SSDEEP

3072:F6sZMeRby4a1enUyvAGJYmjeT7rUsmI1XMjPuyXTV5Q5Cm7FTltM:F1ZMeFyLenUZGChzmI1aRXT8V5lC

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

C2

173.232.44.69

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

govate wgte.exe

pid	Process
2220	govate wgte.exe

Loads dropped DLL 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2400	WINWORD.EXE

Drops file in Windows directory 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File created	C:\Users\Admin\office_word_7\docksx\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid	Process
2400	WINWORD.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

WINWORD.EXE

pid	Process
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE
2400	WINWORD.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid	Process
2400	WINWORD.EXE
2400	WINWORD.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WINWORD.EXE

description	pid	Process	procid_target
PID 2400 wrote to memory of 2220	2400	WINWORD.EXE	29
PID 2400 wrote to memory of 2220	2400	WINWORD.EXE	29
PID 2400 wrote to memory of 2220	2400	WINWORD.EXE	29
PID 2400 wrote to memory of 2220	2400	WINWORD.EXE	29
PID 2400 wrote to memory of 2304	2400	WINWORD.EXE	32
PID 2400 wrote to memory of 2304	2400	WINWORD.EXE	32
PID 2400 wrote to memory of 2304	2400	WINWORD.EXE	32
PID 2400 wrote to memory of 2304	2400	WINWORD.EXE	32

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33.docm"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Users\Admin\office_word_7\govate wgte.exe
  "C:\Users\Admin\office_word_7\govate wgte.exe"
  2⤵
  - Executes dropped EXE
  PID:2220
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:2304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Documents\d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33.docm.docx

Filesize
56KB

MD5
a8b3b13f4499d6a17362d893fe461a56

SHA1
c0b566ed1cf4e1a03592101862a31163a6a120ca

SHA256
b78a556edf0af9a4068699654c6925480b4d53db2c46e46464e531ccee3531f9

SHA512
95b51e081a9eb77c173068eca97934568e2f0e240b5af43cf314976eb61dbbb26ac15c5e3f8b883f43263b1a5809f7d3640333cee64cfc34ad511de58284f1b4

Download Submit
C:\Users\Admin\OFFICE~1\docksx.zip

Filesize
153KB

MD5
44c494a30f83f92295c8351b86a2507a

SHA1
72b49464d5ff0e6aa85fc94284ffc75a546c8c8c

SHA256
d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33

SHA512
7b3f4bff12267827f9da31b6a1002bc272a64de2def2109a997d69d009555bd97410625f773ed92283477e2ca1f42a71af7e3c4e943ced6b509349e868871ccc

Download Submit
C:\Users\Admin\office_word_7\docksx.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\office_word_7\govate wgte.exe

Filesize
19.6MB

MD5
b63fd1d2717071eca5b95db0bda74f26

SHA1
65742d5f8ae4df7edf07bbf4a4040f40cb4535fd

SHA256
86eccc88dcae9d1890a43f35b1a30c63b19176f5bff371b21588ee4a7519ab56

SHA512
b2cfcef5dce12bab4a1aa9d4c0172980423a7acee3fea78b868aaec46740936375cc0fc570e22c847a2c228a7ff44cfe1bdb2b83b42346ef5c20f69b6cafe9da

Download Submit
C:\Users\Admin\office_word_7\govate wgte.exe

Filesize
19.6MB

MD5
b63fd1d2717071eca5b95db0bda74f26

SHA1
65742d5f8ae4df7edf07bbf4a4040f40cb4535fd

SHA256
86eccc88dcae9d1890a43f35b1a30c63b19176f5bff371b21588ee4a7519ab56

SHA512
b2cfcef5dce12bab4a1aa9d4c0172980423a7acee3fea78b868aaec46740936375cc0fc570e22c847a2c228a7ff44cfe1bdb2b83b42346ef5c20f69b6cafe9da

Download Submit
C:\Users\Admin\office_word_7\govate wgte.exe

Filesize
19.6MB

MD5
b63fd1d2717071eca5b95db0bda74f26

SHA1
65742d5f8ae4df7edf07bbf4a4040f40cb4535fd

SHA256
86eccc88dcae9d1890a43f35b1a30c63b19176f5bff371b21588ee4a7519ab56

SHA512
b2cfcef5dce12bab4a1aa9d4c0172980423a7acee3fea78b868aaec46740936375cc0fc570e22c847a2c228a7ff44cfe1bdb2b83b42346ef5c20f69b6cafe9da

Download Submit
C:\Users\Admin\office_word_7\word\govate wgte.zip

Filesize
307KB

MD5
fb1d84ef4d34e2f2f1e7fb3966123082

SHA1
dea875a6f98e627c18c3de62d69ee24a8082b9b2

SHA256
e01812afc5b635772b92c34dcde40131655679396f53efd14577df6b615cf7ac

SHA512
5c5f1192cbc9153c81f40b44f27299f8c2251792af9527b0547d54d76c79359d26e68c13de370e38eae1688313d77c5f02a81b0479f4bf0f423490f3844539aa

Download Submit
\Users\Admin\office_word_7\govate wgte.exe

Filesize
19.6MB

MD5
b63fd1d2717071eca5b95db0bda74f26

SHA1
65742d5f8ae4df7edf07bbf4a4040f40cb4535fd

SHA256
86eccc88dcae9d1890a43f35b1a30c63b19176f5bff371b21588ee4a7519ab56

SHA512
b2cfcef5dce12bab4a1aa9d4c0172980423a7acee3fea78b868aaec46740936375cc0fc570e22c847a2c228a7ff44cfe1bdb2b83b42346ef5c20f69b6cafe9da

Download Submit
memory/2220-414-0x00000000012A0000-0x000000000263A000-memory.dmp

Filesize
19.6MB

Download
memory/2220-413-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2220-416-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2220-444-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2220-446-0x00000000002D0000-0x0000000000350000-memory.dmp

Filesize
512KB

Download
memory/2400-64-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2400-68-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-67-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-66-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-65-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-63-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-108-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2400-62-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-61-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-60-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-59-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-426-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2400-58-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download
memory/2400-57-0x0000000000200000-0x0000000000300000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads