Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
Cryp_RAT.rtf
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Cryp_RAT.rtf
Resource
win10v2004-20241007-en
General
-
Target
Cryp_RAT.rtf
-
Size
662KB
-
MD5
1fc2941b70df9dd6cdf4cb82af740fe9
-
SHA1
e5d18e3487ca2d5037215c0e0ebfaf7ccae1c655
-
SHA256
44b87df9f68f5a3084c7d80c1c7492ca5209e816a4e83fdbd6e2fcb6f1ff936f
-
SHA512
d5da156e406093bfd398d78a36962360ed6918d6b96e641843e7eeddbd6fe41c0a1681bf0a4fe9e31be22d7b1e16267e62abafc9c14d1dea223e72f3ef810081
-
SSDEEP
12288:6NtcndUa0XzmFe4lT+F4qZDGefM4qeF4C:6Oua0XzmFFI+7Z4VT
Malware Config
Signatures
-
Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{BB0159E8-D17A-40D7-B1F9-7DEE3F612074}\Client.exe:Zone.Identifier WINWORD.EXE -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\{BB0159E8-D17A-40D7-B1F9-7DEE3F612074}\Client.exe:Zone.Identifier WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 2820 WINWORD.EXE 2820 WINWORD.EXE -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 2820 WINWORD.EXE 2820 WINWORD.EXE 2820 WINWORD.EXE 2820 WINWORD.EXE 2820 WINWORD.EXE 2820 WINWORD.EXE 2820 WINWORD.EXE
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Cryp_RAT.rtf" /o ""1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
316B
MD595bb648d6eb9265eeaf0f889731b1e23
SHA1631d60a024835f4e53ceb9d0a987ce52fe517df4
SHA2569639441a9d36e7e4fda980961b75eeb334540b8cfbcee71eb3cd857e0a838e0c
SHA512184414ea68092124290049282147070a86172833359404ee26199a36083d720e291d55bb85e4ae1d02504ce841efbc646760e7cc5af4088a253aed7b2665c420
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize1KB
MD57cf26e639f1ebe2c1740de28e7d704b6
SHA18be4608cdfb854149c52949a08cb9a0a77f36b14
SHA256e9c91286fe9ad20b36c257d6552b660fe3f17903585c62d69899764c6df1e098
SHA512b485ceeea0a8a95ae648b9649a7ef6a956c1866f6d0126b8483e27b509379e45f079a55c2ac21c9a24e35c9534d27594612d99c37ddeb3eb068b1b6733e0055b