486b1ff53fb896c08eb98df156d8e36a1c88285ee109c7f27adc0c41ef0762ea

Resubmissions

19/11/2024, 13:13

241119-qgh4rswmbw 7

19/11/2024, 13:11

241119-qe7pca1mgp 6

Analysis

max time kernel
27s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CRIMSON/Crimson Best.exe
Size

133KB
MD5

f71cdf848c5ca76ad9e6e879a3cb20d2
SHA1

ecb7ccbdca1d33430af3bfa40237d93e74a0a6a4
SHA256

1bf439d985e2e046c34d469d83545d4b760ca21c1f25253e35c3d7000a0c7787
SHA512

47a66cd6c2a0eff0a3a79bf9cc1bb201032fd0913c35fab311c7c6e601a1e768656b47092294c552f9bc867cef1e28e8a945d1dca85494964f385f753daca811
SSDEEP

3072:D46omPF4ZWeDwYW5CuQkj54kmqshAcmhcn:DahhUMunn7InQ

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	Crimson Best.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Crimson Best.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	Crimson Best.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	Crimson Best.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Crimson Best.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Crimson Best.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe
2768	Crimson Best.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2768	Crimson Best.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2768	Crimson Best.exe
2768	Crimson Best.exe

C:\Users\Admin\AppData\Local\Temp\CRIMSON\Crimson Best.exe
"C:\Users\Admin\AppData\Local\Temp\CRIMSON\Crimson Best.exe"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BCOPU31\warning[1]

Filesize
1KB

MD5
124a9e7b6976f7570134b7034ee28d2b

SHA1
e889bfc2a2e57491016b05db966fc6297a174f55

SHA256
5f95eff2bcaaea82d0ae34a007de3595c0d830ac4810ea4854e6526e261108e9

SHA512
ea1b3cc56bd41fc534aac00f186180345cb2c06705b57c88c8a6953e6ce8b9a2e3809ddb01daac66fa9c424d517d2d14fa45fbef9d74fef8a809b71550c7c145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\error[1]

Filesize
3KB

MD5
16aa7c3bebf9c1b84c9ee07666e3207f

SHA1
bf0afa2f8066eb7ee98216d70a160a6b58ec4aa1

SHA256
7990e703ae060c241eba6257d963af2ecf9c6f3fbdb57264c1d48dda8171e754

SHA512
245559f757bab9f3d63fb664ab8f2d51b9369e2b671cf785a6c9fb4723f014f5ec0d60f1f8555d870855cf9eb49f3951d98c62cbdf9e0dc1d28544966d4e70f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NT668XG4\error[1]

Filesize
1KB

MD5
b9bec45642ff7a2588dc6cb4131ea833

SHA1
4d150a53276c9b72457ae35320187a3c45f2f021

SHA256
b0abe318200dcde42e2125df1f0239ae1efa648c742dbf9a5b0d3397b903c21d

SHA512
c119f5625f1fc2bcdb20ee87e51fc73b31f130094947ac728636451c46dced7b30954a059b24fef99e1db434581fd9e830abceb30d013404aac4a7bb1186ad3a

Download Submit
memory/2768-10-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/2768-19-0x000000002C320000-0x000000002CAC6000-memory.dmp

Filesize
7.6MB

Download
memory/2768-5-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-6-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-7-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-0-0x000007FEF5583000-0x000007FEF5584000-memory.dmp

Filesize
4KB

Download
memory/2768-11-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-4-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-27-0x000007FFFFEC0000-0x000007FFFFED0000-memory.dmp

Filesize
64KB

Download
memory/2768-40-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-48-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-49-0x000007FEF5580000-0x000007FEF5F6C000-memory.dmp

Filesize
9.9MB

Download
memory/2768-3-0x000000001CE30000-0x000000001D044000-memory.dmp

Filesize
2.1MB

Download
memory/2768-2-0x0000000000650000-0x0000000000658000-memory.dmp

Filesize
32KB

Download
memory/2768-1-0x000000013F4E0000-0x000000013F506000-memory.dmp

Filesize
152KB

Download