Overview

overview

10

Static

static

3

CrimsonRAT.exe

windows7-x64

Analysis

  • max time kernel
    32s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    13-04-2024 18:18

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    CrimsonRAT.exe

  • Size

    84KB

  • MD5

    b6e148ee1a2a3b460dd2a0adbf1dd39c

  • SHA1

    ec0efbe8fd2fa5300164e9e4eded0d40da549c60

  • SHA256

    dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

  • SHA512

    4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

  • SSDEEP

    1536:IjoAILD000jsdtP66K3uch3bCuExwwSV712fRp1Oo2IeG:IqLD000wD6VRhLbzwSv2H1beG

Score
10/10
crimsonratpersistencerat

Malware Config

Extracted

Family

crimsonrat

C2

185.136.161.124

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe
    "C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\ProgramData\Hdlharas\dlrarhsiva.exe
      "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      PID:2524
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2612
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:548

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\PROGRA~3\Hdlharas\mdkhm.zip
        Filesize

        56KB

        MD5

        b635f6f767e485c7e17833411d567712

        SHA1

        5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

        SHA256

        6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

        SHA512

        551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

        Download Submit

      • C:\ProgramData\Hdlharas\dlrarhsiva.exe
        Filesize

        9.1MB

        MD5

        64261d5f3b07671f15b7f10f2f78da3f

        SHA1

        d4f978177394024bb4d0e5b6b972a5f72f830181

        SHA256

        87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

        SHA512

        3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

        Download Submit

      • memory/548-35-0x0000000002B30000-0x0000000002B31000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2524-27-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2524-28-0x00000000000B0000-0x00000000009C4000-memory.dmp

        Filesize

        9.1MB

        Download

      • memory/2524-29-0x000000001BC20000-0x000000001BCA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2524-31-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2524-32-0x000000001BC20000-0x000000001BCA0000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2524-34-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2612-33-0x0000000002E10000-0x0000000002E11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2956-2-0x000000001B2B0000-0x000000001B330000-memory.dmp

        Filesize

        512KB

        Download

      • memory/2956-0-0x00000000008C0000-0x00000000008DE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2956-30-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/2956-1-0x000007FEF5C70000-0x000007FEF665C000-memory.dmp

        Filesize

        9.9MB

        Download