crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT[.]exe

Analysis

max time kernel
213s
max time network
214s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05-05-2024 03:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT.exe

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023497-217.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 4 IoCs

pid	Process
704	CrimsonRAT.exe
3836	dlrarhsiva.exe
4116	CrimsonRAT.exe
2256	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
62	raw.githubusercontent.com
63	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133593523600011743"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3268	chrome.exe
3268	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe
Token: SeShutdownPrivilege	3352	chrome.exe
Token: SeCreatePagefilePrivilege	3352	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe
3352	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 712	3352	chrome.exe	84
PID 3352 wrote to memory of 712	3352	chrome.exe	84
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4720	3352	chrome.exe	85
PID 3352 wrote to memory of 4144	3352	chrome.exe	86
PID 3352 wrote to memory of 4144	3352	chrome.exe	86
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87
PID 3352 wrote to memory of 3372	3352	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb44b0ab58,0x7ffb44b0ab68,0x7ffb44b0ab78
  2⤵
  PID:712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:2
  2⤵
  PID:4720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:4144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:3372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4428 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4768 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4828 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4936 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:4244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4912 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5148 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:704
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4960 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1660 --field-trial-handle=1944,i,3530720315511742308,13302249117629694531,131072 /prefetch:8
  2⤵
  PID:4336

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4580

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4116
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2256

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\UnprotectCheckpoint.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
PID:3440

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\42db798623b34e4da927aa355b153a40 /t 3004 /p 3440
1⤵
PID:772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ILOVEYOU.vbs"
1⤵
PID:4504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ILOVEYOU.vbs"
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c173c3636850059f5958499b7756640f

SHA1
b1b034134baee0c1a73f19256e6acc53c920e6f7

SHA256
3e4c5f3b81216fccb21b0caed2a79b4f3264e593a63b4072463145243a7bf073

SHA512
065c448cb38330d21b546bd7dfa01d3b3f76b5b2a07b2415a71cef77b293c1b3f8e7152256b5e054181f0f2bd133416a8bd5e347c2bab5dca96c00fd5a6c1284

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c59c47fc1be4e19093351d55fe469a4a

SHA1
8dd26a496738b01fba699d1ce16a8f919a4ebd8b

SHA256
fd1e07ec1e16c0159c9107499b907e1b76d7afa440d587c2ee6b665c98d5b494

SHA512
1c7bc1b7723c8fec78acd1edc331e3287c2c3369151452f5075f0ed239fac6c5fc26046f6172a7979e98fd0f5036b0ccaddb20143ee3c7650c399f46358b84e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f33e64736e32671d794a01ae16d795fb

SHA1
4f1f947fd8688f97548fc652cf603ca05a3fbde7

SHA256
269524c674bb22b947ac31ea8715b4dc6c84fed1683e51c89862ee8283dcef5e

SHA512
846d597d91bece57dddca2c1c9559470ec8726d9387c3faee37a2401f5d02e6017c058c0e4de55e88c65eeab0761104b8052ad327aeb9d1958b911df335ba102

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
a3b6644ae29481b27a2cf1861d2edc19

SHA1
b7315845ebdf54776c16694ebfbb9528db01e64c

SHA256
e99d82f887114de772359b9795ab9c01844d7ee3abd82cceca6a3d399f12e48e

SHA512
cbb1057a88538c2d6c93aca19c4a00bfcb2e39ab3bbd29c1c3ed174084bf4a3b449abbe726bc49f9abaf9493c5856b500af8bc9d494e0d75a3da5240037a192b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d0b0c7a843c436c92a741eb6be2dd962

SHA1
ce96229b5f08af73cf5b8359546632a843793a4c

SHA256
b4823bc0787ee49fdd17eb3a9a4fa15bdd39b59f3f120ca91efbb5c1c7024313

SHA512
c67514dfb61e4804615663e03e52d98e19fab20a62cf11e3f301910f69e1a3d94457c5337b02855dc1bd7d8b64de3216fb8632878ee3d4e981854866c06f055b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
720fe879d3c582c3c82974a9e2a6d05b

SHA1
171378756b3dd3329a3e6ed7ae7114beadd4caf7

SHA256
86d97e037c190ed733f13b042d557a8345c56ee4786e02c15fb2af20b3621389

SHA512
7680184426ac3a72775050001ed9c8342c3be445675b11d95f80203fa21d34e42bc4557cfd2e8bdf18c0cbe343100d5359b95d0c7bd8dd59e0ce96a115a58a68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3c7f99359b95fd352a1b24f926ab2ecf

SHA1
0837ac4157bef5415e7e2e777a66636302dda72a

SHA256
6f9c42ed199d6835283e651eb6550db0d366776346595d97ef64a8d05b6ad4cc

SHA512
678af164a21631c725bb5718bfff1c9f77713e090ccf7b3d3c4ff31ec53b8787ac22a0a09808966136adeb7ec65833f443200488e7c17bed4a7562ccf15cf084

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
52a048427fed573b32f24f85f7366429

SHA1
839cf56f9ecd01a39a126442c77d827956e422b1

SHA256
d4b2e57e4c725122368eec35672b8b8761aec8e33144ef8210be0a4e43140af3

SHA512
f1c0932828bde41a3a1d07b0b8d2aaaeb7589afcbe99a72edbbd464be4a8b95192f193af439bbc0897b9be69712c4191e4fb1999d90dc81edea6efe6a96c3162

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
6152be871627c18028c6f44ea819cd66

SHA1
6051caed71ad834d1f02aa24d29095650ee10156

SHA256
eb0ece96fada0ee7256e7a8b5c5cfeed855b7091d681b9f5a668a1ec2200c717

SHA512
72b1cdac15b1eaf79e907220455caa4419cf3d74b71ab904488c623bec52ec8b59a2f5ba6c5df8eee425102bcb050e7e65ee3ca2b77c54255d0b19c121c3108f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
c83ee26a88b9680a97333a4c16ee7737

SHA1
bce6c6f0356c482de1c280552824d416605b9a3d

SHA256
589ae7de16b48ecdece893dac4ee8ffc5cc76aae720926763f972bbc99cb7b37

SHA512
3508ac1232151bae3fff073cf2a0d44b496bb811645c426814dbf5de2c8e80307298c0f9490018a2d72390f6ec19ccdb92edba901d1456da88cb111a775cb264

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\d64c1b08-ba8d-470b-a1e1-f57a0d9917dc.tmp

Filesize
7KB

MD5
07cf9ceaeba6984b555768969ae6c3cb

SHA1
14b2113e79568f539ba11703e90b0bc510d8c7b1

SHA256
ea5cee2322e6126f6231307a33bf2c532557f1e09e936e2bb496161303f98cc5

SHA512
17144303df63e1c7104b6030bb2288198053bd5ae91d6a1f7bfd247da99cd1464d4e4aa3efafa6eaadf2a2180da8511d45b4eac05949cd0eb5d6e3be048a9c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
130KB

MD5
02fd65e18db9e9f8b3e0995e2308f057

SHA1
d2b04d1e2b91f792cab9b3a794cebd65eb4094ea

SHA256
c8793cbac2b3d75b858e9d885b03d6d7111a59328b27015b6312116b7d796443

SHA512
44d7b348ad69553750ae39403590927ca9e4d9eda3003854dfb2ffdb321ba9df4f92c492a2506bddc71d05bf53093a53971e2c57c56bfdc9e89e11cf889b81ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
8KB

MD5
145ad6f452306ea9b3287a3a3263d36f

SHA1
09e980067748dd89b77fb4ce13daf71f2b50ad37

SHA256
681ef0606d304a956485c10e2fccf0a49ccd936d7b345536e56ec6878103ba14

SHA512
656ed65d572ff0d810c6b171542c75c64b8c162825bd0412ad092d5660357d77935c20c6c0595a69a7b26123e2c082e255c3db2ce5d6c92800e16ccd6708cb04

Download Submit
C:\Users\Admin\Downloads\CrimsonRAT.exe

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\ILOVEYOU.vbs

Filesize
10KB

MD5
8e2c097ca623ca32723d57968b9d2525

SHA1
dccfb092fa979fb51c8c8ca64368a6f43349e41d

SHA256
556700ac50ffa845e5de853498242ee5abb288eb5b8ae1ae12bfdb5746e3b7b1

SHA512
a468476a8463c36c2db914e3fe4dc7aee67ac35e5e39292107431d68ab1553ca3c74255a741432ba71e8a650cf19eb55d43983363bfc9710e65b212fba37bbde

Download Submit
memory/704-192-0x00007FFB31BC3000-0x00007FFB31BC5000-memory.dmp

Filesize
8KB

Download
memory/704-229-0x00007FFB31BC0000-0x00007FFB32681000-memory.dmp

Filesize
10.8MB

Download
memory/704-194-0x00007FFB31BC0000-0x00007FFB32681000-memory.dmp

Filesize
10.8MB

Download
memory/704-193-0x000001F2F7810000-0x000001F2F782E000-memory.dmp

Filesize
120KB

Download
memory/3836-266-0x00007FFB31BC0000-0x00007FFB32681000-memory.dmp

Filesize
10.8MB

Download
memory/3836-227-0x000001BB5E5E0000-0x000001BB5EEF4000-memory.dmp

Filesize
9.1MB

Download
memory/3836-226-0x00007FFB31BC0000-0x00007FFB32681000-memory.dmp

Filesize
10.8MB

Download