crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/tree/master/RAT

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15-08-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/RAT

Score

10^/10

crimsonrat discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000023399-349.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 10 IoCs

pid	Process
4196	CrimsonRAT.exe
3780	dlrarhsiva.exe
5652	CrimsonRAT.exe
5720	dlrarhsiva.exe
6132	CrimsonRAT.exe
4848	dlrarhsiva.exe
3336	CrimsonRAT.exe
768	dlrarhsiva.exe
2564	CrimsonRAT.exe
5168	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
73	raw.githubusercontent.com
72	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 161943.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 827519.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
4888	msedge.exe
4888	msedge.exe
4700	identity_helper.exe
4700	identity_helper.exe
448	msedge.exe
448	msedge.exe
3620	msedge.exe
3620	msedge.exe
5272	msedge.exe
5272	msedge.exe
5272	msedge.exe
5272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 3044	4888	msedge.exe	85
PID 4888 wrote to memory of 3044	4888	msedge.exe	85
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 752	4888	msedge.exe	86
PID 4888 wrote to memory of 3852	4888	msedge.exe	87
PID 4888 wrote to memory of 3852	4888	msedge.exe	87
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88
PID 4888 wrote to memory of 3708	4888	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/tree/master/RAT
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9cc5346f8,0x7ff9cc534708,0x7ff9cc534718
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3236 /prefetch:8
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6568 /prefetch:8
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5476 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3620
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4196
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,17939419482377482406,11805897310868325473,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3720 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2908

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5584

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5652
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:5720

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6132
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4848

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3336
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:768

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2564
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:5168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
219c5b35e7082628f75962bab8df0093

SHA1
3ac6db9b74e03a3f4e2aab97d0863e6133500145

SHA256
c476e2f9f6031847b6fe57f60b2247182c09b05cbd88903bca85d5c30e495e50

SHA512
fd342dc7dea42dbc46c703a63619ffc15fd8406ef5877ca4d9e2efeebfec9322190e079ef7cc3ff99355921ded5e53e64369d7466a51b89dbe905b958ce54184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
05cc4af9d390df2b779237e00c018682

SHA1
ddf92007febb0016930010da1280bbb67ace26cd

SHA256
4a83a373076b0549fc39bc75ca543ada3e9c7c655ff11e4e95ee13740b628dab

SHA512
c745b6747f92fed4e3b606365d58395a38082d9bb630c88666cfb97e130ba7634d1893a52e1e6ad5f948299f4f9533010ff21b517a460977674d4493a6c68f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
080811e4883b5d035c7804f44ec672e4

SHA1
b7ee6c3dc56e6f09577dcfc64f8e3dfdfbd6279e

SHA256
fdf082d015ec1f44119671f15843b39d75b9feb6b5dc2487f364700b287e77ab

SHA512
1967efb29d8ff4e9d8f0132223a1136ecf3b6aba92f7a06151670111eef14803db415fa3fd240b5824a8d7e8b4e5962a964b1492abb90c2c5c0ed56a4a6684e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee5732f1af789742bdb886b7cbf01083

SHA1
f8e904db1ff5a042eeabef0d3d5341b7de75cb64

SHA256
f37aa6182c701625eaa30c2d93aac64d363d1cbbba669b6ffc83b3d035d090ff

SHA512
a61a2eda44eae31bd78bd574022002cfae712cc93afc5534610a7cf95d824876fca64b1a7875e0fde91c0e071e281d13de29e8b4986304136d79eed00210c8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ff413c7703ee246c18409bad2c34a46

SHA1
495816392b8292ca9ea0e28eae7c5e0231bdf4f9

SHA256
d396eabcfbf388bbfe70d0f16462ba298e5ce6f7a496d44515981781e9a33995

SHA512
ee4d36929f3aa74a57bdeb6c750d0c8be9d25680744652c6a942a6750637b119522072ba575e8cdfe2882ca83c9e33ebf080f8a674959882a6e3c1dee629943b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
839277e9bcfe5855c50a9d8f95fb2d0d

SHA1
446ebcb14bc05727d25d8185af27098c76f56ff1

SHA256
5ed17fa959ca1c271bcddb54bf3ed4b521e05e19a9dd86d2382bdcbd49f1caac

SHA512
72323166b2adc14da66c570134f87399494f1664a0508e163a58d8e99c289c473e62e38f74d5b2555fa564b15ef36e25697be23e3a5579a211306be2b7696931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d3b5143758c0bcce9eb4a69c3bb2490

SHA1
eaac05e996b0aaf0c55b35f42e1d9385db0bb52b

SHA256
9722cd4fbbb6d94d3b8f721ef6cb7520158a932d2f4fb471655e38d9ed26c6a5

SHA512
585b91e3f76d1f6ddd5792928b62ba8d4f043d7b746b915f2c7dff0f3a08fccfdff8bc7af1b5fcc12aa17cd4aa278aae87aa5a4836c4c28baa4725c1b553540b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
59919f66ab25dd25a7572cf2031b6b74

SHA1
ba68c588fef93d60fd819d060fda2178f7b9fdf7

SHA256
1a1c9a36216add81161444d059dfd1f14bc5a299938393b6a1b4f7558d88cab9

SHA512
653b9a5fc94b33ce41d981a66bf87e8428b76062c77f9e8afc82276738b2846572fa146f95a756372586185b21c727e94105aa20f7f8968c13735d098d3dd330

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dd458f5ce42aa1ca1417040f8977262e

SHA1
5c45a1c69f829cdf39bc19cb8c3659a699ee4c4a

SHA256
805b2a01aa5d9bf4d3332f8cd43fc3c5b22753fde7da47b386842116709056ec

SHA512
653fb370fbcdd08607b69aca1c5e4ec7b73a86b283388fb9b2b729109ab1e5283ab72036b9abf11bd26eb9d6c9c792640705929e5e9048503ff1226a4864662f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bb3ccc0f358af3c765cdf775b5621f03

SHA1
007d6604cbbf37c5c028440cbc249db4fc685fba

SHA256
7f604326449e8a44975a170c1914b6d5c4b677ef1ac663a660d96daf0845ccae

SHA512
f34c72a4660883d689aff6fee78ad619e53ff1bbb290998beb1727cb88e0bbb45eee60000d4bea0070816e3b6bf0415b59f673b6497211cb8dbc883537e05c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584735.TMP

Filesize
371B

MD5
baf630375b6e1b97f84ecc5e14576ee5

SHA1
559762a96e014fa20cb368d7b48935504e6d8176

SHA256
56b3974cc35bc1228ded420481ad4cf0ad30433523aa5cb7e3497affa7aa4b47

SHA512
562ea472221177f12c38111a616315e1a9d4e8a12ca9f4a2bdcb010c9c88aaf72d3c4e837c7f6d9a4cebb4b53cfc1238e3214feaee044215fdd65c1003179930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78fe7e948c95d3fc394ab4265c264186

SHA1
c95e66618b7b929596b7b6928c3a45a000c75822

SHA256
861c969ae1d2b18045c64002a333332d04f3abd0c76bccffc490ea6abf6ff734

SHA512
e70e26be2f1a72488a06a8b9690551ce1c475f70270aefa31fa7ec148a28fabc4cd338aae1be1e7adb261f6d7b0d1943185ecd6a430d8c5821b8b4955b8a5f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
241badac98dd1242638536752b656481

SHA1
e546688a4c0e3d18dfa9bcb1e537436faf0ba133

SHA256
366ca8bcf0a09fd83a0b20e422c723f12a08f85abc308a848a2383801078326f

SHA512
2aab8375f82c749a19996f6874884c1cab19f7c4dd8921d42948b7ed7a06a7aa3270708ba1eaa5ef102290520576b602683d7cb76b437dd898889741c3044161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d8e43a150bdebcbd9a3ee1cc21f6bf2

SHA1
6bfceb82782631ae9cd11b3e3e856d83227c7d34

SHA256
e4b0a1f194aca7d7662f34604165b570ec41b9cf5031129481e1f98b461f0c55

SHA512
bda99fefd9eea6d26230821ef89e4b6ab2d7297fb4454d6bed304a5e31561234cf4bbaa873a522e72af816da7ee6d2dc7290034dec9e06163f7e3e89d6f9b97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e55d5e974e948327c503b8dd3d589fd2

SHA1
25a84c7230bf44952a89e643ab1a0ffda4d85c8f

SHA256
5f7b99ee24688a3fd76c034f61f1153e85e29195efa56d2d8fc69cfa3677c121

SHA512
cf3d9c3279c30db421f04a8b4e3e6ec8560c4c27926d72f89218c737824d860ef6cd68adb4d580387c95d21e3988a7c98470f6c379816e647748ad2314f8605a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 161943.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 827519.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/3780-368-0x0000014C08B80000-0x0000014C09494000-memory.dmp

Filesize
9.1MB

Download
memory/4196-317-0x000001D141D40000-0x000001D141D5E000-memory.dmp

Filesize
120KB

Download