crimsonrat | be8ad3c1c5d51fb5d29815a1b589f821ccb079649e4921c5925393c5a71b4540

General

Target

2866daf2b59d9c34c891838c6bc10fb9.exe
Size

102KB
MD5

2866daf2b59d9c34c891838c6bc10fb9
SHA1

40ed0748dd9302a36ad6ea579f9ebffa2bacd7c4
SHA256

be8ad3c1c5d51fb5d29815a1b589f821ccb079649e4921c5925393c5a71b4540
SHA512

6a8325d07798d5475ef22d11a37a43105e006f0e88d1176e8e61cce5e8ab4c2f9a4f3c1c824839bf4f817d1f2fa22940ec0756f5da394ba63705f66f1f182616
SSDEEP

3072:iYcdZ28O5VIUUtxESoGxdHdyg2I/0nr1oEi:VEZcPIUkxESNYW

Score

10^/10

crimsonrat persistence rat

Malware Config

Extracted

Family

crimsonrat

C2

167.160.166.80

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

Processes:

trbgertrnion.exe

pid	Process
2232	trbgertrnion.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

trbgertrnion.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\vttbaelarvir = "C:\\ProgramData\\Hithviwia\\trbgertrnion.exe"	trbgertrnion.exe

Drops file in Program Files directory 2 IoCs

Processes:

2866daf2b59d9c34c891838c6bc10fb9.exe

description	ioc	Process
File created	C:\PROGRA~3\HITHVI~1\trbgertrnion.exe	2866daf2b59d9c34c891838c6bc10fb9.exe
File opened for modification	C:\PROGRA~3\HITHVI~1\trbgertrnion.exe	2866daf2b59d9c34c891838c6bc10fb9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

2866daf2b59d9c34c891838c6bc10fb9.exe

description	pid	Process	procid_target
PID 2912 wrote to memory of 2232	2912	2866daf2b59d9c34c891838c6bc10fb9.exe	28
PID 2912 wrote to memory of 2232	2912	2866daf2b59d9c34c891838c6bc10fb9.exe	28
PID 2912 wrote to memory of 2232	2912	2866daf2b59d9c34c891838c6bc10fb9.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2866daf2b59d9c34c891838c6bc10fb9.exe
"C:\Users\Admin\AppData\Local\Temp\2866daf2b59d9c34c891838c6bc10fb9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2912
- C:\ProgramData\Hithviwia\trbgertrnion.exe
  "C:\ProgramData\Hithviwia\trbgertrnion.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\HITHVI~1\TRBGER~1.ZIP

Filesize
63KB

MD5
334547ca973dcdcc6f38f9f91e42ba38

SHA1
74745a8416c0d764cfcd51b6ae0c85e5a5eeedaf

SHA256
e723131d2e9b2f1a9582f25e143af2716272ee4b04d252e5b825b76aa875ba53

SHA512
09c928b88a9f95d224ce4b0fcac7e88b30d3373751b340b8b19df5a91530041439412f510d4766959df662b7bf616fde6fe015c6725bdda9c6c397b518478f99

Download Submit
C:\ProgramData\Hithviwia\trbgertrnion.exe

Filesize
5.8MB

MD5
89169435194156207992708ec7c85076

SHA1
32ea501c4fc535b832fa335e0958538690f48a2d

SHA256
791a53c28a7e07f7f8dd86f930a8f9a2d35a9a14f9ef601800702682ab63f87c

SHA512
b962662f4325510cf000defc42040e8549f70d067f0a4131c8014d88bcdb2e64c0a30756c39d602b50b2d73bd818fb58c0e3c9a03613b14805812b07eda31b98

Download Submit
C:\ProgramData\Hithviwia\trbgertrnion.exe

Filesize
6.3MB

MD5
506ab7895138a334a0eba2f741b3fcbe

SHA1
8668eb1743c64b6fa47fbb8371b604281eff9adc

SHA256
ba31aef36d65bccdb71a6b39ad38ffa2fa29422be64d89b0ea5054ed4cfba6d7

SHA512
94b8aea9daa15d1dbdd3da21ab3d38d8d48342855be8052d39c945a5fc633990a5c42859f927f0d4a1a510b4cd5dca86a956961f3cbe5bc2736799ea8bb15556

Download Submit
C:\ProgramData\Hithviwia\trbgertrnion.exe

Filesize
7.1MB

MD5
0b670133df2671ff6c8534ee6f20339d

SHA1
5d3fc9256eb19d6998f3628e4c7f3461c28bac20

SHA256
51938e935c384da82e7831cbd9a881f9eec7e9c7f11e6824e26359f85ede4221

SHA512
ce48f3dd1c85606784568eff31286f65fc96c0dc1160451ce47b2d6906778139b19200c5fa468bec31b0efaa13de3f3aa15549eab4d552917d5950781922fb0c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\data.zip

Filesize
65KB

MD5
58bb8eac1f3b88d703f72c182c12ffe1

SHA1
6abd5a836d400edccadedff2878f7f3a581d5c6d

SHA256
7769437bbe55ff4f377ade33472c67dba2527c82c830bb2e41a2512f1c906913

SHA512
33e1a4b47e0321acd6f8a60f105cf905bf6be52ba995be17b89053f1dba71f87d1d176b969d64556f469a389575955d48414be6b4015178633150d6c05cedb43

Download Submit
memory/2232-61-0x000007FEED750000-0x000007FEEE0ED000-memory.dmp

Filesize
9.6MB

Download
memory/2232-62-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2232-63-0x000007FEED750000-0x000007FEEE0ED000-memory.dmp

Filesize
9.6MB

Download
memory/2232-64-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2232-66-0x000007FEED750000-0x000007FEEE0ED000-memory.dmp

Filesize
9.6MB

Download
memory/2232-67-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2232-68-0x0000000000B20000-0x0000000000BA0000-memory.dmp

Filesize
512KB

Download
memory/2912-2-0x000000001B0F0000-0x000000001B170000-memory.dmp

Filesize
512KB

Download
memory/2912-1-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download
memory/2912-0-0x0000000000F00000-0x0000000000F22000-memory.dmp

Filesize
136KB

Download
memory/2912-65-0x000007FEF5B70000-0x000007FEF655C000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads