crimsonrat | 0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2

Analysis

max time kernel
183s
max time network
210s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 09:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2.ppam
Size

396KB
MD5

70635541c80cd5a237ff789abcce4e27
SHA1

69639bccfdfc319d64ab89d5ee03d29f6f6133a7
SHA256

0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2
SHA512

8470f9581032dca01aacd5ca55974d56bc34d652fc1b2f25883002d5c28330b2ce04fe69031d72e3b3d4e2fd058c32263af538d64f3e23757ff350d70d6f7867
SSDEEP

6144:ilRaWUni3pcJi9U+K/mpL0IfyzvfJ1vC53oPWVkuKsxkx:OUWOUXq+emC3Trq9Elskx

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

192.3.99.68

Signatures

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat

Executes dropped EXE 1 IoCs

pid	Process
2852	hiartbnaiw.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\ProgramData\Offiecs3414\data.zip:Zone.Identifier:$DATA	POWERPNT.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3028	POWERPNT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3028	POWERPNT.EXE
3028	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3028	POWERPNT.EXE
3028	POWERPNT.EXE
3028	POWERPNT.EXE
3028	POWERPNT.EXE
3028	POWERPNT.EXE
3028	POWERPNT.EXE

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2852	3028	POWERPNT.EXE	90
PID 3028 wrote to memory of 2852	3028	POWERPNT.EXE	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\ProgramData\Offiecs3414\ppt\embeddings\hiartbnaiw.exe
  C:\ProgramData\Offiecs3414\ppt\embeddings\hiartbnaiw.exe
  2⤵
  - Executes dropped EXE
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Offiecs3414\data.zip

Filesize
396KB

MD5
70635541c80cd5a237ff789abcce4e27

SHA1
69639bccfdfc319d64ab89d5ee03d29f6f6133a7

SHA256
0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2

SHA512
8470f9581032dca01aacd5ca55974d56bc34d652fc1b2f25883002d5c28330b2ce04fe69031d72e3b3d4e2fd058c32263af538d64f3e23757ff350d70d6f7867

Download Submit
C:\ProgramData\Offiecs3414\data.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\ProgramData\Offiecs3414\ppt\embeddings\hiartbnaiw.exe

Filesize
10.5MB

MD5
ac4944bec64b6d40f3bb16d6ed3f06e8

SHA1
ad07a2a5d0da4e0aeeb997a9c07a8729ab3a3de7

SHA256
fc34f9087ab199d0bac22aa97de48e5592dbf0784342b9ecd01b4a429272ab5b

SHA512
4185bbaa8ebca5da475d4b99d4fc9871c8ce57a1d9e69952fc5171adf979af320775f51b6875e43a62925a1c8a1e1b5f8da3bfc49d63aa6be2b3394eb1aa0f0e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
337B

MD5
24ceeb9ff9e1adc52605df7a4922ab2e

SHA1
5541f246782d0e9073f68cd1ef4efa709bdc4a72

SHA256
9184915b2154e3cdf1d2099ab5ae229a076912bb72f0fae07d9db1ece6ed292f

SHA512
6c56543083f210e87f9f0f12fe537cb9d14d6c4a3474f65bbeb71305824b95acc8e7d1727e58a879e1b7c3de379c841f38eb75890c371407b7ff93416c40b223

Download Submit
C:\Users\Admin\Documents\0d61d5fe8dbf69c6e61771451212fc8e587d93246bd866adf1031147d6d4f8c2.pptx

Filesize
175KB

MD5
643218061bd19bc22c91eb67e688d0ad

SHA1
0bdba98f3f080a9e367dbd44e8051768ccc7a331

SHA256
8f905ae9b5f3c9d1f4a2a3ba5c366fb2213629c077b43d85eb6fd005b4c47bfb

SHA512
a45c29077622ee9b2ee72128707a4d4370a93a1f8f96511defa36ee563d37e198fcd3047282a77acefe2cda2c57ee460c63f9fe9164f3c5a5de589dcbed5366a

Download Submit
memory/2852-283-0x0000023070530000-0x0000023070540000-memory.dmp

Filesize
64KB

Download
memory/2852-282-0x00007FFF65C50000-0x00007FFF66711000-memory.dmp

Filesize
10.8MB

Download
memory/2852-245-0x0000023070530000-0x0000023070540000-memory.dmp

Filesize
64KB

Download
memory/2852-244-0x000002306D380000-0x000002306DE00000-memory.dmp

Filesize
10.5MB

Download
memory/2852-243-0x00007FFF65C50000-0x00007FFF66711000-memory.dmp

Filesize
10.8MB

Download
memory/3028-10-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-8-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-13-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-14-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-11-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-15-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-16-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-17-0x00007FFF51880000-0x00007FFF51890000-memory.dmp

Filesize
64KB

Download
memory/3028-18-0x00007FFF51880000-0x00007FFF51890000-memory.dmp

Filesize
64KB

Download
memory/3028-34-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-37-0x00000148165D0000-0x0000014816DD0000-memory.dmp

Filesize
8.0MB

Download
memory/3028-49-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-0-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-70-0x00000148165D0000-0x0000014816DD0000-memory.dmp

Filesize
8.0MB

Download
memory/3028-9-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-106-0x00000148165D0000-0x0000014816DD0000-memory.dmp

Filesize
8.0MB

Download
memory/3028-143-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-12-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-4-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-7-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-5-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-6-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-2-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-274-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-275-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-276-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-277-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-279-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download
memory/3028-278-0x00000148165D0000-0x0000014816DD0000-memory.dmp

Filesize
8.0MB

Download
memory/3028-280-0x00000148165D0000-0x0000014816DD0000-memory.dmp

Filesize
8.0MB

Download
memory/3028-281-0x00000148165D0000-0x0000014816DD0000-memory.dmp

Filesize
8.0MB

Download
memory/3028-3-0x00007FFF53DF0000-0x00007FFF53E00000-memory.dmp

Filesize
64KB

Download
memory/3028-1-0x00007FFF93D70000-0x00007FFF93F65000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads