Overview

overview

10

Static

static

3

ggpermV3/A...64.exe

windows11-21h2-x64

1

ggpermV3/F...er.bat

windows11-21h2-x64

ggpermV3/L...IS.exe

windows11-21h2-x64

10

ggpermV3/N...on.dll

windows11-21h2-x64

1

ggpermV3/S...UI.dll

windows11-21h2-x64

1

ggpermV3/T...er.exe

windows11-21h2-x64

ggpermV3/a...64.sys

windows11-21h2-x64

1

ggpermV3/m...er.bat

windows11-21h2-x64

1

ggpermV3/s...er.exe

windows11-21h2-x64

1

ggpermV3/s...er.exe

windows11-21h2-x64

1

ggpermV3/woof.bat

windows11-21h2-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ggpermV3.rar

  • Size

    1.0MB

  • Sample

    240220-wdsfxsce81

  • MD5

    40a7d7917377f32f7ac5a77548176336

  • SHA1

    d645f5b4525551117436c1f1aa81aaa8a6c1e93a

  • SHA256

    b6e0e05dfc876baa96c0e6b1b9de9dd7a16ed070106f53fa1daf26e10ed07040

  • SHA512

    8dc5d339b498abf6a531aae97e93ef09ff9a263aaa306de8a798dd124a75e060f5bc11d0338f0b48322e6da0688afee43caecf0d38f87e47deb8aec6861e5b27

  • SSDEEP

    24576:m/G2XKhjKyYGPZmm2aY8KJsApnMwUjKBv/2:mdKQyYGxKaY8KqwH2

Score
10/10
crimsonratevasionpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Targets

    • Target

      ggpermV3/AMIDEWINx64.EXE

    • Size

      453KB

    • MD5

      6a6505b2413d2c7b16c6d059448db9e5

    • SHA1

      dfe6c6b6051c26326a12dc9d0d5701cb4728266c

    • SHA256

      53e3b72f8eb13acf3cb69d4cb124e8dc64fc541555c3c95cc8003b8046853955

    • SHA512

      1c0531581f0efe683ab763f6633ace60f0637b22830e7ec551babe19ac777a1a6821dc568bce13a8abee8bfef1c7d9397e0bee1c78c00810c65dadd788dab2a3

    • SSDEEP

      6144:JIeh4+TOKGuTSuXCJ6AtCoZPhGL/TnJ+z5rsxQhsCI9t/tk7MP:jpPTxXihA+zBhsC2Z

    Score
    1/10
    behavioral1

    • Target

      ggpermV3/Final_Cleaner.bat

    • Size

      107KB

    • MD5

      98f1a0eebcb5f4798662a40323b05a7e

    • SHA1

      068e288005c04b8d859c44d3767613a8036bdb11

    • SHA256

      00023ce602db623e47de1029595339eec4ee5019c6017236c9b721cac0ae4032

    • SHA512

      6cfda16ce56b1173b91bd86c0f977f022a0b01a77142a15f66d865ee3f00ffee6aa2df7571edcccac41f7d680a9c4c536991abd91e86a00b083b8f9f37a39cf7

    • SSDEEP

      768:S/KZzmezF/svUsfg8gVhCBL1oPYdxCA1n5xpoL8oPlRPrPEPupL5LvLpLjLgwJyo:Kg8gUDRnvplQL5LvLpLjLnn

    Score
    10/10
    evasionpersistenceransomwaretrojan
    behavioral2

    • Target

      ggpermV3/LAUNCHTHIS.exe

    • Size

      62KB

    • MD5

      eac37455baace3357722d2bc5cf40be9

    • SHA1

      bfbb2b0f876a0784e5a0d78b7981b27254c0a766

    • SHA256

      e333b29fa06d2138c9a4c634fde1fe4212bd2a027c0175008001c8af60d34053

    • SHA512

      78065623e0bafa450e49c91b700da3a31536033d005a6d20126cc886bc1075788a4e5d5f7b689b47c4eea01f58f797e696f06038dd967b6143d07204048ad067

    • SSDEEP

      1536:eh4f8xsBb7KAMFYieXfRc/onjx6FXs+ceAP5w:bBbnRJfROqwFcZbP5w

    Score
    10/10
    crimsonratrat

    • CrimsonRAT main payload

    • CrimsonRat

      Crimson RAT is a malware linked to a Pakistani-linked threat actor.

      ratcrimsonrat

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3

    • Target

      ggpermV3/Newtonsoft.Json.dll

    • Size

      695KB

    • MD5

      195ffb7167db3219b217c4fd439eedd6

    • SHA1

      1e76e6099570ede620b76ed47cf8d03a936d49f8

    • SHA256

      e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    • SHA512

      56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    • SSDEEP

      12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/

    Score
    1/10
    behavioral4

    • Target

      ggpermV3/Siticone.UI.dll

    • Size

      1.3MB

    • MD5

      750c58af2e56b6addecffcf152520ab8

    • SHA1

      14995e7f1d12498606d9d209d78d55fe6fd87802

    • SHA256

      27c56a28cbde094157206da1bfcd7a395111ab97b8a5ff600b11c2175dcefb26

    • SHA512

      2179790e23f61b3dfea828457f8609279c70b1e071cddc73b1dbda02caa664e0aae2553fc24a4956f9e89c477d66b1a704bde26fa23bc6db26c19e18db00abb5

    • SSDEEP

      24576:QVMCtIZJntOFmMlMqPilaiS4Yr6ugPngPfjv9tLF2cH8gb:u8NlaVeuHFb

    Score
    1/10
    behavioral5

    • Target

      ggpermV3/Trinity Cleaner.exe

    • Size

      752KB

    • MD5

      5ff39c44ff3eaf7798bffa670fb4b600

    • SHA1

      cd22cc93964fdeb470460642c44fd4ce31f3bf1e

    • SHA256

      fd5d49ac3a9a4130261f43ef6e6c9c6a4a317e7ba421f88e22e0fbe96fd45429

    • SHA512

      6ec8f1e38d78a773f8b0764f7aa5d8902c8c556a2583bdf62b6485e093c8a193b5965e3d908abe60d80b0fc690e2def7721aa896f14f6e77c80f72aa11fa3878

    • SSDEEP

      12288:FBTyBtZmiNYQtIFc5oiJfJulj1CBMeIFjKuQdGhSaApNrWSvUghmjpoVb3/k2JP:eBtZicIFc5oiJfJulj1CBMeIFjKuQdGP

    Score
    10/10
    evasionransomwarespywarestealer

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies Windows Firewall

      evasion

    • Stops running service(s)

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer
    behavioral6

    • Target

      ggpermV3/amifldrv64.sys

    • Size

      18KB

    • MD5

      785045f8b25cd2e937ddc6b09debe01a

    • SHA1

      029c678674f482ababe8bbfdb93152392457109d

    • SHA256

      37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

    • SHA512

      40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

    • SSDEEP

      384:Cf8OVN6UDYm+b10HMHd6xhxuGZBBfSZsHLPK6jz/cf:CffV8KApCMMxDuIPKgwf

    Score
    1/10
    behavioral7

    • Target

      ggpermV3/macchanger.bat

    • Size

      2KB

    • MD5

      c0b8d81370dd4defc9317dc6c204d581

    • SHA1

      fa2b6a292c398d2a2febbdddcf39a62ffbb6fb23

    • SHA256

      4d8d40a7e435fc815d088d7309a6bece3a9d798b4fb8170ca3d9c4c7c8c6784f

    • SHA512

      271552179a651414d8b321017a8675a1cd09ac83394cc014453d28f1837b60db657b1d75362af71d075b1f4e33ac5eedf6556a43709589a6159c4d0ef2d00828

    Score
    1/10
    behavioral8

    • Target

      ggpermV3/sxghr-driver.dll

    • Size

      5KB

    • MD5

      7941cb95d1182b91c1128ecaa566f22c

    • SHA1

      cf2e82d486ec7364515e34561ac2e1b5c457b8c5

    • SHA256

      70d8f0ce3cb2651052a628564e2ce0d715822fad141273c65892cd5515bc7741

    • SHA512

      89b9f7ed06a562a84f98c51541fa98661222be1b3deb638c3b83aa44150749b668c9e2f1b74d8f5010ea1085d3e64f8e1257e32b5a33dcb08eb182ddc58721d7

    • SSDEEP

      48:6Ksdk+U/8KC01Jf/pujgRPVTlMdSHj+cFRKwZaQ7KcmFxeJ6+XtXKXBlagc1w7lQ:L0jgV4da++RKwZaAKzFWTsGa80pzNt

    Score
    1/10
    behavioral9

    • Target

      ggpermV3/sxghr-driver.exe

    • Size

      137KB

    • MD5

      84c83f1f50bed460d9bd13fa4d83304b

    • SHA1

      e4c17ffcc97654efa537310f81702d922b3101f3

    • SHA256

      a89fcdf02e9d587c2c00cbfa5efada6b308f62d7d8a296f7a1cfc8c4991de375

    • SHA512

      4d19b7c31265507c7962a45c2babd266bd8dceae4e9d3cd3c9359083c066a77028158790f3f14cbb22a46ec90d754efa6fa811774b330f6910b7e5576335c289

    • SSDEEP

      3072:1efQZKfOC31VwyY9egNtfNjJvjmqqF7Hb/LMm5MqDC:1DewyY9egLRePYm5B

    Score
    1/10
    behavioral10

    • Target

      ggpermV3/woof.bat

    • Size

      1KB

    • MD5

      9dfe4e730dcc5e0d3951038ad2a095a1

    • SHA1

      e033d9a40234b9544606ec4d603add264cb38841

    • SHA256

      bfffd2faf6710e02912de0eec63b593f35a8bebef114932b4a4bc9c67fad59b8

    • SHA512

      297e9950fd207687af957a94c5fb7d073bb89dcebdd6ee047fa0465f55bb95b42563c7310980bf1e41ca671a1f8c824e86dfe515b844f99f307965d199d8dbfd

    Score
    8/10
    evasion

    • Stops running service(s)

      evasion

    • Drops file in System32 directory

    behavioral11

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

Persistence

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

1
T1547

Winlogon Helper DLL

1
T1547.004

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

1
T1562.001

Indicator Removal

2
T1070

File Deletion

2
T1070.004

Modify Registry

5
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

4
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Data Destruction

1
T1485

Defacement

1
T1491

Inhibit System Recovery

3
T1490

Service Stop

1
T1489

Tasks