Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
10-04-2024 14:28
Behavioral task
behavioral1
Sample
dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676.doc
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676.doc
Resource
win10v2004-20240226-en
General
-
Target
dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676.doc
-
Size
790KB
-
MD5
c7a3276763a5c1b13f93028aab5a6e73
-
SHA1
c2844b69a36b3be37f8db97b0afc051f6bf36671
-
SHA256
dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676
-
SHA512
2ef8d3eb3f1368591666d9f85dddb210c05fe16569f3553086f42d7b82133669c5a9e7fe1263407bb54bb9f75216ef9fcb78348427e334ef74afd6e3f429c01a
-
SSDEEP
3072:PkWc08tG41FHiopEomJ9/GuloC5pUAn0YoKpbqZSvYYzU6lXHaym97m/EE3fzLvd:PkA
Malware Config
Extracted
crimsonrat
151.106.14.125
211.210.122.154
Signatures
-
CrimsonRAT main payload 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023243-76.dat family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
pid Process 740 ravidhtirad.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2052 WINWORD.EXE 2052 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 740 ravidhtirad.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE 2052 WINWORD.EXE -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 2052 wrote to memory of 740 2052 WINWORD.EXE 93 PID 2052 wrote to memory of 740 2052 WINWORD.EXE 93
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\dbb9168502e819619e94d9dc211d5f4967d8083ac5f4f67742b926abb04e6676.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\ProgramData\Dlymrdsa\ravidhtirad.exeC:\ProgramData\Dlymrdsa\ravidhtirad.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.2MB
MD562519adeb63e478fe8975c020deeec95
SHA1e15ecda470e6fa76beb1833458c46511d35c36e7
SHA2568f01ae46434e75207d29bc6de069b67c350120a9880cc8e30fefc19471eaac4a
SHA512527575ea610facde3dccdaf7479b4c3a220b1ebd8a361555015f4ab9ecaa7947b61f810f3474839e7ee8f9d2ff5d9b14898ae4a9f3489aa95e6f7639da318d80
-
Filesize
100KB
MD5b1c94f3ca426b21338a03e612aec74d8
SHA1fa378065fc60c2c8fa82e33acee7902991a28808
SHA25623ad57f9cd87f9cfa99a3c429a55498ade18f099b1e8af21e4efd868bbbfb880
SHA5122ba21f58d6226124c6ed9184a6c686559eb59390bd67bb81d280eb62c9cd4351ef7e3305d08ec60e3664621687661b5be7f3ce5df9e26fd692e82e6a6bffacff
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84