crimsonrat | d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33

General

Target

d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33.docm
Size

153KB
MD5

44c494a30f83f92295c8351b86a2507a
SHA1

72b49464d5ff0e6aa85fc94284ffc75a546c8c8c
SHA256

d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33
SHA512

7b3f4bff12267827f9da31b6a1002bc272a64de2def2109a997d69d009555bd97410625f773ed92283477e2ca1f42a71af7e3c4e943ced6b509349e868871ccc
SSDEEP

3072:F6sZMeRby4a1enUyvAGJYmjeT7rUsmI1XMjPuyXTV5Q5Cm7FTltM:F1ZMeFyLenUZGChzmI1aRXT8V5lC

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

C2

173.232.44.69

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

govate wgte.exe

pid	Process
3544	govate wgte.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description	ioc	Process
File created	C:\Users\Admin\office_word_8\docksx\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid	Process
1756	WINWORD.EXE
1756	WINWORD.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

WINWORD.EXE

pid	Process
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXE

pid	Process
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE
1756	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	Process	procid_target
PID 1756 wrote to memory of 3544	1756	WINWORD.EXE	85
PID 1756 wrote to memory of 3544	1756	WINWORD.EXE	85

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\office_word_8\govate wgte.exe
  "C:\Users\Admin\office_word_8\govate wgte.exe"
  2⤵
  - Executes dropped EXE
  PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
347B

MD5
f0456f47edbb6e96ff2f7e59ffd3483f

SHA1
eb9d95e855f4f7a6928ba8f73e209dc4722d54e2

SHA256
f5c8eddc3174731d0b493d64e38cc939fdc8c3d14fc48b94a07e3be94ca60c4a

SHA512
a49b1348cc03917c84641e5a3b8fab975a017b1f17733e7cea1d325dbd680db42a2f1ca42f7a602de39aa84e672387fc07a72779d8cf1f24f536e9e789cd7fa1

Download Submit
C:\Users\Admin\Documents\d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33.docm.docx

Filesize
56KB

MD5
a8b3b13f4499d6a17362d893fe461a56

SHA1
c0b566ed1cf4e1a03592101862a31163a6a120ca

SHA256
b78a556edf0af9a4068699654c6925480b4d53db2c46e46464e531ccee3531f9

SHA512
95b51e081a9eb77c173068eca97934568e2f0e240b5af43cf314976eb61dbbb26ac15c5e3f8b883f43263b1a5809f7d3640333cee64cfc34ad511de58284f1b4

Download Submit
C:\Users\Admin\office_word_8\docksx.zip

Filesize
153KB

MD5
44c494a30f83f92295c8351b86a2507a

SHA1
72b49464d5ff0e6aa85fc94284ffc75a546c8c8c

SHA256
d47528c5574e307dd79fb7c240fcc4d22397671f3eb4a1dc990b64971c588d33

SHA512
7b3f4bff12267827f9da31b6a1002bc272a64de2def2109a997d69d009555bd97410625f773ed92283477e2ca1f42a71af7e3c4e943ced6b509349e868871ccc

Download Submit
C:\Users\Admin\office_word_8\docksx.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\office_word_8\govate wgte.exe

Filesize
19.6MB

MD5
d72f7a7742ef69a7148981383e094ee3

SHA1
06fa3037c43d908f44c17d5f7a18a3bca7dd2590

SHA256
f0176c4de5bdac87cc1db60abf64f0736ac101548417cba6a16f7481fccf907e

SHA512
1585e73b2ce7cb83468b7522c9e294a7879e136e440a496a81d188399a7731c2119572d47ad3e6ab9cfa842f9c466ca0989d493c4689ad41b4ed34f174b87f9a

Download Submit
C:\Users\Admin\office_word_8\govate wgte.exe

Filesize
19.6MB

MD5
d72f7a7742ef69a7148981383e094ee3

SHA1
06fa3037c43d908f44c17d5f7a18a3bca7dd2590

SHA256
f0176c4de5bdac87cc1db60abf64f0736ac101548417cba6a16f7481fccf907e

SHA512
1585e73b2ce7cb83468b7522c9e294a7879e136e440a496a81d188399a7731c2119572d47ad3e6ab9cfa842f9c466ca0989d493c4689ad41b4ed34f174b87f9a

Download Submit
C:\Users\Admin\office_word_8\govate wgte.exe

Filesize
19.6MB

MD5
d72f7a7742ef69a7148981383e094ee3

SHA1
06fa3037c43d908f44c17d5f7a18a3bca7dd2590

SHA256
f0176c4de5bdac87cc1db60abf64f0736ac101548417cba6a16f7481fccf907e

SHA512
1585e73b2ce7cb83468b7522c9e294a7879e136e440a496a81d188399a7731c2119572d47ad3e6ab9cfa842f9c466ca0989d493c4689ad41b4ed34f174b87f9a

Download Submit
C:\Users\Admin\office_word_8\word\govate wgte.zip

Filesize
307KB

MD5
fb1d84ef4d34e2f2f1e7fb3966123082

SHA1
dea875a6f98e627c18c3de62d69ee24a8082b9b2

SHA256
e01812afc5b635772b92c34dcde40131655679396f53efd14577df6b615cf7ac

SHA512
5c5f1192cbc9153c81f40b44f27299f8c2251792af9527b0547d54d76c79359d26e68c13de370e38eae1688313d77c5f02a81b0479f4bf0f423490f3844539aa

Download Submit
memory/1756-139-0x00007FFA5CA30000-0x00007FFA5CA40000-memory.dmp

Filesize
64KB

Download
memory/1756-138-0x00007FFA5CA30000-0x00007FFA5CA40000-memory.dmp

Filesize
64KB

Download
memory/1756-136-0x00007FFA5EE30000-0x00007FFA5EE40000-memory.dmp

Filesize
64KB

Download
memory/1756-137-0x00007FFA5EE30000-0x00007FFA5EE40000-memory.dmp

Filesize
64KB

Download
memory/1756-133-0x00007FFA5EE30000-0x00007FFA5EE40000-memory.dmp

Filesize
64KB

Download
memory/1756-135-0x00007FFA5EE30000-0x00007FFA5EE40000-memory.dmp

Filesize
64KB

Download
memory/1756-134-0x00007FFA5EE30000-0x00007FFA5EE40000-memory.dmp

Filesize
64KB

Download
memory/3544-564-0x000001BB1CC00000-0x000001BB1DF9A000-memory.dmp

Filesize
19.6MB

Download
memory/3544-577-0x000001BB1E3B0000-0x000001BB1E3C0000-memory.dmp

Filesize
64KB

Download
memory/3544-596-0x000001BB1E3B0000-0x000001BB1E3C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads