Overview

overview

10

Static

static

8

fa6a95df0a...b6.xls

windows7-x64

10

fa6a95df0a...b6.xls

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15-11-2024 18:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa6a95df0af45ff6601696678af711b6.xls

  • Size

    423KB

  • MD5

    fa6a95df0af45ff6601696678af711b6

  • SHA1

    c87653f543d7c9386b92732e02ee64deac0e0100

  • SHA256

    2628ad9be62db33bcc2dd982d80a7ec4ff840349a658795e13ef9611b784eefe

  • SHA512

    362d3bd45dcf7b419661a4a77545d337d7f294a143f732e18dd7f728f04e99772bb45e205513c4c03f6975778ba2d812cc6e288ff5e6591ca04ad2a639d3fc02

  • SSDEEP

    6144:ixEtjPOtioVjDGUU1qfDlavx+W2QnASFR:TF

Score
10/10
crimsonratdiscoveryrat

Malware Config

Extracted

Family

crimsonrat

C2

167.114.138.12

Signatures

  • CrimsonRAT main payload 1 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Crimsonrat family
    crimsonrat
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Office loads VBA resources, possible macro or embedded object present
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\fa6a95df0af45ff6601696678af711b6.xls
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2984
    • C:\ProgramData\Tdlawis\rlbwrarhsa.exe
      C:\ProgramData\Tdlawis\rlbwrarhsa.exe
      2⤵
      • Executes dropped EXE
      PID:2432

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~3\Dlphaws\omthrpa.zip
    Filesize

    56KB

    MD5

    aac869f05f219ae6508ad279a97120d1

    SHA1

    1de68ade3b8f45a2b7b846b35768e6301b5e2e0d

    SHA256

    0b655acf2e3c1c72746c4a69f56f4c5149b27cfea9d10fe2dbffd411b8b4fd8d

    SHA512

    51199423ed586ae4a2990df54a0231d9ea0d067e0f9badb3139b9a3a61f2d8044a02e1f8d27fcc4d7f59118d84326a1cc74f68c76e95b71a8ce7c1953451c05f

    Download Submit

  • \ProgramData\Tdlawis\rlbwrarhsa.exe
    Filesize

    9.6MB

    MD5

    8a1f4a512fe9edbcc62ba4b1c3e08f0a

    SHA1

    fcc99860e1029e0d989121be46eb1da2f8402853

    SHA256

    ecd7d7a27a2a043919a233bb91e3b009c05b7c81ff132a7c29228e1c45d2b6a6

    SHA512

    0e78fa869f051b5672b6f7a4dcc02ae7cdca55ba8ac2b14a34f30e94844fddb7caa22ac9fd555ac0bb270c1bfbedcb3e7ef074fcf9cba8dbf2ba0d5dc690444c

    Download Submit

  • memory/2432-56-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2432-55-0x000007FEF5AEE000-0x000007FEF5AEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2432-46-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2432-47-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

    Filesize

    9.6MB

    Download

  • memory/2432-45-0x000007FEF5AEE000-0x000007FEF5AEF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2984-9-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-11-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-12-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-5-0x0000000006E70000-0x0000000006F70000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-7-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-18-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-22-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-8-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2984-6-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-10-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-4-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-52-0x00000000722AD000-0x00000000722B8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2984-53-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-54-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-3-0x00000000006B0000-0x00000000007B0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2984-1-0x00000000722AD000-0x00000000722B8000-memory.dmp

    Filesize

    44KB

    Download