General
-
Target
__data
-
Size
9.2MB
-
Sample
240720-jyedksxbrg
-
MD5
5c2e1da3892e9ed4cbafbfd3859b9867
-
SHA1
3aa36c887a1e6b0c01a0b6b16c49ecc69ce931a5
-
SHA256
a3f0b7fd84781dbb396f686c4c6268a573824a11f50a39d75d725952adf57466
-
SHA512
b2f2c45aca4770dc8a68215ff027b7a1c83d4398576170f6bbda340933a441a20f5ee05a9877c0ff29e0f3c952293775ff84470b0d6cc9e564c0195f54ba5679
-
SSDEEP
196608:ln7CTef8UQww18jdK+Fi6lwIHE9ZhkEnKIX:le2g71gdKhvh5KO
Malware Config
Extracted
crimsonrat
185.136.161.124
Targets
-
-
Target
__data
-
Size
9.2MB
-
MD5
5c2e1da3892e9ed4cbafbfd3859b9867
-
SHA1
3aa36c887a1e6b0c01a0b6b16c49ecc69ce931a5
-
SHA256
a3f0b7fd84781dbb396f686c4c6268a573824a11f50a39d75d725952adf57466
-
SHA512
b2f2c45aca4770dc8a68215ff027b7a1c83d4398576170f6bbda340933a441a20f5ee05a9877c0ff29e0f3c952293775ff84470b0d6cc9e564c0195f54ba5679
-
SSDEEP
196608:ln7CTef8UQww18jdK+Fi6lwIHE9ZhkEnKIX:le2g71gdKhvh5KO
Score10/10-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Modifies WinLogon for persistence
-
Modifies Windows Defender Real-time Protection settings
-
UAC bypass
-
Deletes shadow copies
Ransomware often targets backup files to inhibit system recovery.
-
Blocklisted process makes network request
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Disables use of System Restore points
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Modifies Windows Firewall
-
ASPack v2.12-2.42
Detects executables packed with ASPack v2.12-2.42
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Drops file in System32 directory
-
Sets desktop wallpaper using registry
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1JavaScript
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
2Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Direct Volume Access
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
2Safe Mode Boot
1Indicator Removal
2File Deletion
2Modify Registry
7