crimsonrat | c59b2d6a70bc5b84998aebb2d21241a8adef33724838e92db4dee36a1ce46f43

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recommendation for the award of President's.docm
Size

15.9MB
MD5

a21c2b37effe3195665ec5597afa329f
SHA1

d764529d82a015204d9ab3fe414c0da5b9829d9a
SHA256

c59b2d6a70bc5b84998aebb2d21241a8adef33724838e92db4dee36a1ce46f43
SHA512

ed6be97c243c677649c395a0a4016bae40719493425265b0541a9d0fdae395e8c0325104003b582925c5a4fabf6b1050d8dc72d7cabfe1d6e00c0f9e03c96978
SSDEEP

393216:Xrh68BRtZSZlpwMkbt6xFczuZQ5x2hYUiF9:Xrw+aKMkMozuOD209

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

164.68.122.64

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Executes dropped EXE 1 IoCs

Processes:

itmvroidovss.scr

pid process

3944 itmvroidovss.scr

pid	process
3944	itmvroidovss.scr

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

NTFS ADS 1 IoCs

Processes:

WINWORD.EXE

description ioc process

File created C:\Users\Admin\Downloads\191646\msdocks.zip\:Zone.Identifier:$DATA WINWORD.EXE
Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

4552 WINWORD.EXE
4552 WINWORD.EXE
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

WINWORD.EXE

pid process

4552 WINWORD.EXE
4552 WINWORD.EXE
4552 WINWORD.EXE
4552 WINWORD.EXE

description	ioc	process
File created	C:\Users\Admin\Downloads\191646\msdocks.zip\:Zone.Identifier:$DATA	WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

Processes:

WINWORD.EXE

pid	process
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE
4552	WINWORD.EXE

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WINWORD.EXE

description	pid	process	target process
PID 4552 wrote to memory of 3944	4552	WINWORD.EXE	itmvroidovss.scr
PID 4552 wrote to memory of 3944	4552	WINWORD.EXE	itmvroidovss.scr

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Recommendation for the award of President's.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Users\Admin\Downloads\itmvroidovss.scr
  "C:\Users\Admin\Downloads\itmvroidovss.scr" "
  2⤵
  - Executes dropped EXE
  PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
225B

MD5
cb49dff8347a78a8b8cf518abff02b8e

SHA1
6dc1e77cf5b7b2294e67c9beb480d89a43f99a46

SHA256
da04141fb2aae345a9175b35e81b19313317f3843a143d8ea9094a3889d3b275

SHA512
465b578074609af996a8c67b381a31d05ce3f4f711e6fe78a8c583235df9e8264f4bbb3ee02a6f3f02fe9407112cc1e4ce649e8cc87a229eb51e391002240296

Download Submit
C:\Users\Admin\Downloads\191646\image1.zip

Filesize
199KB

MD5
61fd99b4e4dc0d6c3c354ea95d3ae857

SHA1
3a103703b8429bc8b59ee1e7ab780fc73e9bb327

SHA256
22520b3af49c385d833893f36e734e954dcff04953e8624efc6d43b35b23b2e5

SHA512
9cc766fd8f1b1edfdfe57b52a102640b4f630de6263d605d41e5461418f42e947af02cd7edc109106e8b49780f5e448891653389519e5621dc2e48ce879800da

Download Submit
C:\Users\Admin\Downloads\191646\msdocks.zip

Filesize
56KB

MD5
565dcda0a3cd2ed31304f7f24eade77d

SHA1
53cf01fc4dd92eda09ef4bd1f4e825eb394a7d4d

SHA256
35b115d5720a31a31bb236330cfac96ddb11abae2acf4af85f70cb1e97c2063a

SHA512
54a32310f0a6a2617e92e09cb121149fec7aec3f04bf2bcaa42e78b3751552d3f116eed7259541219f82d03c814021ae7e7b70561f91c1f67666d888212720b5

Download Submit
C:\Users\Admin\Downloads\191646\msdocks.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\191646\word\image1.zip

Filesize
260KB

MD5
006d037633a18338908549d89bb32522

SHA1
f2980cf7cb608da7564b87886dbd26cd2b61cd3c

SHA256
00af214c03d06b0ed825d2d639041e49b5499b768faf0a84009f395e8fc6ceff

SHA512
8bca66b7a0304451eed6d268cbfca0fdc65fc59bfb81c7b5f0b088130a0969bbcca435a10623fa21d359f89eedae0099c99bf8f1ac64e3b34d4e7814770b501a

Download Submit
C:\Users\Admin\Downloads\191646\word\media\WorkBook.docx

Filesize
212KB

MD5
fea765b8debbeff519f82dc7ee13f962

SHA1
1e030ed8dd5b82431701e87a04c694c15af1539c

SHA256
82db3b2d6723edb41f86eb85fe769ac6259abf224c8165fc07a7f72028229c94

SHA512
45b8a51c7980a0540e2f543f8a19cfc50f0d66017765b2b9bf79566d80f3af973b66e0a7e26b1af19d60dc8af0cfdc61e508d6e20989a84c54ed068a1b0e173c

Download Submit
C:\Users\Admin\Downloads\191646\word\media\image1.zip

Filesize
273KB

MD5
af422d571e784805f032125ff10a632e

SHA1
619847d785b7ce34abaed6270da682a7318fa882

SHA256
0e54a3ee90e3e353faf2292f08512cb82714ffd94f77ec989d689b81d33c337d

SHA512
19d90044709fd56477836fea1a626d31fee77bedce9cc706d3a63484c4915d785f84c5488fad6c15a75d689ed575d721757a6569a4455796ed6557999738f706

Download Submit
C:\Users\Admin\Downloads\itmvroidovss.scr

Filesize
218KB

MD5
1eccd52cac697f2c3bc67b0c09978049

SHA1
116b82f64dc68e146aa636c8605b5b61682b0684

SHA256
f51aa355ecbf9148af65b421196fbc088101743c9a2b5afdb7f3900a26da13a7

SHA512
50a81146d64bc3f8f8a47ac25dcd2469bf4ced2782e8e35fd3f09793315377febbdf6cf8c4844e20a79240ecd3ade303baea52601a3885337d4739fbccb621d8

Download Submit
C:\Users\Admin\Downloads\itmvroidovss.scr

Filesize
180KB

MD5
90d96d5babe657f4940bc35d7536e7de

SHA1
01dc1a02f41e7882471257906920e8b2600ad209

SHA256
29fb475d705c8af424dd7a86683407a073086c72ead7255723d0b0633fc3352a

SHA512
a1e36a60095cc9ddb765ca305337790b85883fd2f0d060790015a11d84056c8156e34bb10272371f2f831d86e8793663623d0723e1031771cd30a9afb2ba38e3

Download Submit
C:\Users\Admin\Downloads\itmvroidovss.scr

Filesize
279KB

MD5
08ac9e930bd6cb6f66127b1334c7c493

SHA1
51c77410c38a56c37546d96c5c4af03b6d613665

SHA256
5f56163b2c48976027966fb0b2235ed6453ceceac17aca9d2cd6c07349e82fab

SHA512
3e76959b9c9d6c4bf6aad5ae35f87a4beecab25d1c2a6b8e9dc1fd83af2308384db87725988d06eaf5778deb1f3ca0eb0b1c005282ff7105fbb6d6c407ab2807

Download Submit
memory/3944-482-0x000001A76F650000-0x000001A770900000-memory.dmp

Filesize
18.7MB

Download
memory/3944-481-0x00007FFAA2410000-0x00007FFAA2ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-483-0x000001A772F50000-0x000001A772F60000-memory.dmp

Filesize
64KB

Download
memory/3944-521-0x00007FFAA2410000-0x00007FFAA2ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3944-522-0x000001A772F50000-0x000001A772F60000-memory.dmp

Filesize
64KB

Download
memory/4552-22-0x00007FFA8F210000-0x00007FFA8F220000-memory.dmp

Filesize
64KB

Download
memory/4552-20-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-12-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-11-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-10-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-8-0x00007FFA916F0000-0x00007FFA91700000-memory.dmp

Filesize
64KB

Download
memory/4552-6-0x00007FFA916F0000-0x00007FFA91700000-memory.dmp

Filesize
64KB

Download
memory/4552-7-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-46-0x000001C5EF840000-0x000001C5F0810000-memory.dmp

Filesize
15.8MB

Download
memory/4552-15-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-17-0x00007FFA8F210000-0x00007FFA8F220000-memory.dmp

Filesize
64KB

Download
memory/4552-18-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-19-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-14-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-0-0x00007FFA916F0000-0x00007FFA91700000-memory.dmp

Filesize
64KB

Download
memory/4552-21-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-16-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-13-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-9-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-4-0x00007FFA916F0000-0x00007FFA91700000-memory.dmp

Filesize
64KB

Download
memory/4552-5-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-2-0x00007FFA916F0000-0x00007FFA91700000-memory.dmp

Filesize
64KB

Download
memory/4552-517-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-518-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-519-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-520-0x000001C5EF840000-0x000001C5F0810000-memory.dmp

Filesize
15.8MB

Download
memory/4552-3-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download
memory/4552-1-0x00007FFAD1670000-0x00007FFAD1865000-memory.dmp

Filesize
2.0MB

Download