Resubmissions
19/07/2024, 11:43
240719-nvvnlssera 1019/07/2024, 11:41
240719-ntv8rasemg 419/07/2024, 11:40
240719-ntaxtasekf 1019/07/2024, 11:40
240719-ns1rvaygrn 119/07/2024, 11:30
240719-nmj7xasbqe 10Analysis
-
max time kernel
10s -
max time network
24s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
-
submitted
19/07/2024, 11:40
General
-
Target
Cryp_RAT.rtf
-
Size
662KB
-
MD5
1fc2941b70df9dd6cdf4cb82af740fe9
-
SHA1
e5d18e3487ca2d5037215c0e0ebfaf7ccae1c655
-
SHA256
44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f
-
SHA512
d5da156e406093bfd398d78a36962360ed6918d6b96e641843e7eeddbd6fe41c0a1681bf0a4fe9e31be22d7b1e16267e62abafc9c14d1dea223e72f3ef810081
-
SSDEEP
12288:6NtcndUa0XzmFe4lT+F4qZDGefM4qeF4C:6Oua0XzmFFI+7Z4VT
Malware Config
Signatures
-
Detect Neshta payload 1 IoCs
-
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316B
MD595bb648d6eb9265eeaf0f889731b1e23
SHA1631d60a024835f4e53ceb9d0a987ce52fe517df4
SHA2569639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c
SHA512184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420
-
Filesize
262KB
MD551d32ee5bc7ab811041f799652d26e04
SHA1412193006aa3ef19e0a57e16acf86b830993024a
SHA2566230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97
SHA5125fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810
-
Filesize
323KB
MD52b9a1b7a5e13b8672655d0a09ce50217
SHA12b62dbb4edbc5460bb42e790ca1a4ba7a4821362
SHA256f6c559c031b7b16b1edf34b38e74b6bf3a7106ca34881d7f5c63b8e0d7ac3694
SHA512db34521fbd83a5c9a3671f2ed14854e98c83256a8e16b809d7a165754e5f02c3c6b7dd1f4e994be7e859da5a5a852b5a93d4846cefbc6985d81a56a34a766f52
-
Filesize
16B
MD5d29962abc88624befc0135579ae485ec
SHA1e40a6458296ec6a2427bcb280572d023a9862b31
SHA256a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866
SHA5124311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f
-
Filesize
677B
MD5ea55d259e4b51f538ba4330f6885d998
SHA1f3e7ab20b43c04dab7bbd96b5d34a4160c962309
SHA256e2491cab81f4e25d465e9558dd1456027ed4427144e2fe3f05d347f033db9e38
SHA512ce607373d8003c27fa46807043c5f9dfc74be049012c41108b33c55b71e8216899ad392b4fa5f11bbaac33dbaede6b4e0f2770b25a62cf4d858f604ba7be9b55
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
2.0MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.0MB