Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 10:22
Behavioral task
behavioral1
Sample
386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef.xls
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef.xls
Resource
win10v2004-20240226-en
General
-
Target
386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef.xls
-
Size
401KB
-
MD5
02ba9703d1f250b411ea4c868d17fd2e
-
SHA1
27d7eab43b66abd73cdc8da304dbb2daa9842df0
-
SHA256
386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef
-
SHA512
c2803749c6dd777f02312ee635c12930082343eab4153c3691cf8bcfe8ec0925d134e094bffee2ceb918a58d59176f07b43fb7b0ba8573325a63eefca487f24c
-
SSDEEP
6144:QxEtjPOtioVjDGUU1qfDlavx+W2QnADP:e
Malware Config
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral2/files/0x000700000002321f-72.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
pid Process 4620 hargardius.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4868 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE 4868 EXCEL.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4868 wrote to memory of 4620 4868 EXCEL.EXE 89 PID 4868 wrote to memory of 4620 4868 EXCEL.EXE 89 PID 4868 wrote to memory of 4620 4868 EXCEL.EXE 89
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\386ed7ba502e7bf0e60c546476c1c762cbc951eb2a2ba1f5b505be08d60310ef.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\ProgramData\Mldhrab\hargardius.exeC:\ProgramData\Mldhrab\hargardius.exe2⤵
- Executes dropped EXE
PID:4620
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD580c092fa7a3558e429c0667cfe1180a1
SHA18f430367ad843012f8a0d1901103c8d7546d843d
SHA2565a7a7c94eed3eea9fbc9ff1a32ea3422b46496e405f90858b1b169bb60bdbac6
SHA512ce1a67abd9ff7396add8dce6379715cfdb5a6e4d59714584232438f80cfa910bf815e15bf7f47535969d830c8f3ac984fca6c5be6c52a6c2ad05a0ebdfc66863
-
Filesize
52KB
MD52bfd5f0385aa66b2a0cb2a41835a2c64
SHA1228e5c6771f77734aac0198250539055a2c83dfe
SHA2561bec9da6aa9e788cade70f6a62076f16ceef9a5b84cec3010bce9117dd9baea6
SHA5123908cda6ce7dd72a73c89efc27999c4ce361699f08c916eefdb7f98b8739ef23b71c6b4e12f079b080cbcef341143247facb6da6ab10b42f1acb7069f69352d8