General
-
Target
https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://github.com/enginestein/Virus-Collection&ved=2ahUKEwiwlr7W3PiHAxXvJUQIHVSsCEEQFnoECBkQAQ&usg=AOvVaw12vdHUggeAevaJdz99G7mH
-
Sample
240816-fwwy3a1drr
Malware Config
Extracted
crimsonrat
185.136.161.124
Targets
-
-
Target
https://www.google.com/url?sa=t&source=web&rct=j&opi=89978449&url=https://github.com/enginestein/Virus-Collection&ved=2ahUKEwiwlr7W3PiHAxXvJUQIHVSsCEEQFnoECBkQAQ&usg=AOvVaw12vdHUggeAevaJdz99G7mH
Score10/10-
Chimera
Ransomware which infects local and network files, often distributed via Dropbox links.
-
Chimera Ransomware Loader DLL
Drops/unpacks executable file which resembles Chimera's Loader.dll.
-
CrimsonRAT main payload
-
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Modifies Windows Defender Real-time Protection settings
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass
-
Windows security bypass
-
Renames multiple (3245) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocks application from running via registry modification
Adds application to list of disallowed applications.
-
Downloads MZ/PE file
-
Office macro that triggers on suspicious action
Office document macro which triggers in special circumstances - often malicious.
-
Executes dropped EXE
-
Loads dropped DLL
-
Obfuscated with Agile.Net obfuscator
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Modifies WinLogon
-
AutoIT Executable
AutoIT scripts compiled to PE executables.
-
Hide Artifacts: Hidden Users
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
1Hidden Users
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
7Subvert Trust Controls
1SIP and Trust Provider Hijacking
1