crimsonrat | a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2023 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Monthly Report MAP.xlam
Size

3.4MB
MD5

41d801d96c9e27c5ca6c4678ffa2d7e2
SHA1

f8c6b5b4c520c2416bea015451cc8aca3283abe6
SHA256

a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82
SHA512

58bfe64961ed881bb1489a5e298f4302d26568c770b5422aff36952514c33c91b588a000554e75581939b98185d2ca7681042e288215e8d62468f028bf8c847c
SSDEEP

98304:Wal3ZM+KyXAQ5036pRV4sWWL4lxoeF35abXerDX6:dM+Kg503C74uL4XD8qK

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

64.188.21.202

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

pid	Process
3376	itugpisacrev.com

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\617\mydocs.zip\:Zone.Identifier:$DATA	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
552	EXCEL.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE
552	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 3376	552	EXCEL.EXE	94
PID 552 wrote to memory of 3376	552	EXCEL.EXE	94
PID 552 wrote to memory of 3932	552	EXCEL.EXE	98
PID 552 wrote to memory of 3932	552	EXCEL.EXE	98

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Monthly Report MAP.xlam"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\Downloads\617\itugpisacrev.com
  C:\Users\Admin\Downloads\617\itugpisacrev.com
  2⤵
  - Executes dropped EXE
  PID:3376
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Downloads\617\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
C:\Users\Admin\Downloads\617\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
C:\Users\Admin\Downloads\617\itugpisacrev.com

Filesize
22.4MB

MD5
c9c802bb6fcfa1c4922fa637a3a8dca1

SHA1
fc2a1974925addc9164e9488a5805bb9c397d5e0

SHA256
73d192b9b79df57932eb153eb5f6f8c999c9297d54768367a3ecf002950f0bae

SHA512
736e2a7a96afb7b7b081352f41da6c21a1015b11e24345e14900e8ea1de55da071cea5ed3e8e0cc80dbe51c61cdf1d5eeef35545ac5ce934dccaf61c4ee48d11

Download Submit
C:\Users\Admin\Downloads\617\mydocs.zip

Filesize
3.4MB

MD5
41d801d96c9e27c5ca6c4678ffa2d7e2

SHA1
f8c6b5b4c520c2416bea015451cc8aca3283abe6

SHA256
a0632cecfd478fbef1a69daae3d760041c6af2cc88965633d3837e076793cc82

SHA512
58bfe64961ed881bb1489a5e298f4302d26568c770b5422aff36952514c33c91b588a000554e75581939b98185d2ca7681042e288215e8d62468f028bf8c847c

Download Submit
C:\Users\Admin\Downloads\617\mydocs.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\617\oleObject1.zip

Filesize
3.5MB

MD5
22ec8f10e85d07c61783da6ef409b698

SHA1
0f1c60575fd3d3e78d8b8d677de32d4a3547ffec

SHA256
64c23c177bbeca04906058918c26b80b2fee7774f9ad3682bf14142c8fc32fb0

SHA512
8f53f8e29c73fbaf5867b0c55fbf57c1e3a7f1d59008a379b37f0649d7f3660d31ea4d047256dc7d728ed79ae54ebe928eed631a247ec2ae6e84f5e92b44ef70

Download Submit
C:\Users\Admin\Downloads\617\xl\embeddings\itugpisacrev.zip

Filesize
3.5MB

MD5
c01bae9b26a56b279615f4fe3ed44421

SHA1
7c4bcb10945441a46241859da769e6ff767a81b9

SHA256
eda677d25eea548857ac2cf803e652f776285418e4520dc005b4492c913ecb01

SHA512
1a90139d7d666c52f2f730d9c70df4d8735828fda17b232216b5d7bb83d0009d9fd51bd09a46c7f8a4d2051ed06ad6fca127a1438b43362988da84fed1dacaeb

Download Submit
C:\Users\Admin\Downloads\Monthly Report MAP.xlam.xlsx

Filesize
15KB

MD5
e6e7f06b649fc6df7f948d3450a7b344

SHA1
fb591934229a5ad5b1aa010d99e9f64fb7dfc9ca

SHA256
74e119c485fb71f3b5d5e64a271b8dd8299db5833612aa78400223c2064b2732

SHA512
cac4367865c55cb1c4490be6d53ea6a9de36b8360aa74e86118e353c369b4abb065174047c8c83ff7b6cb27d74f6400b51eea296a94b795bc5c9a6e5aac1c7d2

Download Submit
memory/552-16-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-468-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-10-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-11-0x00007FFF898F0000-0x00007FFF89900000-memory.dmp

Filesize
64KB

Download
memory/552-12-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-13-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-14-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-15-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-0-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-17-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-19-0x00007FFF898F0000-0x00007FFF89900000-memory.dmp

Filesize
64KB

Download
memory/552-20-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-18-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-21-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-22-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-40-0x000001C2C9600000-0x000001C2C9E00000-memory.dmp

Filesize
8.0MB

Download
memory/552-105-0x000001C2C9600000-0x000001C2C9E00000-memory.dmp

Filesize
8.0MB

Download
memory/552-8-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-106-0x000001C2C8250000-0x000001C2C8650000-memory.dmp

Filesize
4.0MB

Download
memory/552-7-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-6-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-5-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-4-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-2-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-3-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-513-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-511-0x000001C2C7C40000-0x000001C2C7C82000-memory.dmp

Filesize
264KB

Download
memory/552-509-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-1-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-453-0x000001C2CC180000-0x000001C2CD150000-memory.dmp

Filesize
15.8MB

Download
memory/552-510-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-508-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-458-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-461-0x000001C2C7C40000-0x000001C2C7C82000-memory.dmp

Filesize
264KB

Download
memory/552-462-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-463-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-464-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-465-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-466-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-467-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-9-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-469-0x00007FFFCB8D0000-0x00007FFFCBAC5000-memory.dmp

Filesize
2.0MB

Download
memory/552-470-0x000001C2C9600000-0x000001C2C9E00000-memory.dmp

Filesize
8.0MB

Download
memory/552-471-0x000001C2C9600000-0x000001C2C9E00000-memory.dmp

Filesize
8.0MB

Download
memory/552-472-0x000001C2C8250000-0x000001C2C8650000-memory.dmp

Filesize
4.0MB

Download
memory/552-507-0x00007FFF8B950000-0x00007FFF8B960000-memory.dmp

Filesize
64KB

Download
memory/552-479-0x000001C2CC180000-0x000001C2CD150000-memory.dmp

Filesize
15.8MB

Download
memory/3376-477-0x0000025D843A0000-0x0000025D843B0000-memory.dmp

Filesize
64KB

Download
memory/3376-480-0x0000025D843A0000-0x0000025D843B0000-memory.dmp

Filesize
64KB

Download
memory/3376-481-0x0000025D843A0000-0x0000025D843B0000-memory.dmp

Filesize
64KB

Download
memory/3376-476-0x00007FFF9F600000-0x00007FFFA00C1000-memory.dmp

Filesize
10.8MB

Download
memory/3376-457-0x0000025D843A0000-0x0000025D843B0000-memory.dmp

Filesize
64KB

Download
memory/3376-456-0x0000025D843A0000-0x0000025D843B0000-memory.dmp

Filesize
64KB

Download
memory/3376-435-0x0000025D843A0000-0x0000025D843B0000-memory.dmp

Filesize
64KB

Download
memory/3376-434-0x0000025D828F0000-0x0000025D83F68000-memory.dmp

Filesize
22.5MB

Download
memory/3376-433-0x00007FFF9F600000-0x00007FFFA00C1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads