Overview
overview
7Static
static
3CRIMSON.rar
windows7-x64
7CRIMSON.rar
windows10-2004-x64
7CRIMSON/Bin/Xeno.dll
windows7-x64
1CRIMSON/Bin/Xeno.dll
windows10-2004-x64
1CRIMSON/Bi...64.dll
windows7-x64
1CRIMSON/Bi...64.dll
windows10-2004-x64
1CRIMSON/Bi...64.dll
windows7-x64
1CRIMSON/Bi...64.dll
windows10-2004-x64
1CRIMSON/Bi...sh.dll
windows7-x64
1CRIMSON/Bi...sh.dll
windows10-2004-x64
1CRIMSON/Bin/zstd.dll
windows7-x64
1CRIMSON/Bin/zstd.dll
windows10-2004-x64
1CRIMSON/Cr...st.exe
windows7-x64
6CRIMSON/Cr...st.exe
windows10-2004-x64
6CRIMSON/Fa...ox.dll
windows7-x64
1CRIMSON/Fa...ox.dll
windows10-2004-x64
1CRIMSON/Guna.UI2.dll
windows7-x64
1CRIMSON/Guna.UI2.dll
windows10-2004-x64
1CRIMSON/Mo...x.html
windows7-x64
3CRIMSON/Mo...x.html
windows10-2004-x64
3CRIMSON/Mo...ain.js
windows7-x64
3CRIMSON/Mo...ain.js
windows10-2004-x64
3CRIMSON/Mo...bat.js
windows7-x64
3CRIMSON/Mo...bat.js
windows10-2004-x64
3CRIMSON/Mo...fee.js
windows7-x64
3CRIMSON/Mo...fee.js
windows10-2004-x64
3CRIMSON/Mo...cpp.js
windows7-x64
3CRIMSON/Mo...cpp.js
windows10-2004-x64
3CRIMSON/Mo...arp.js
windows7-x64
3CRIMSON/Mo...arp.js
windows10-2004-x64
3CRIMSON/Mo...csp.js
windows7-x64
3CRIMSON/Mo...csp.js
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 13:13
Static task
static1
Behavioral task
behavioral1
Sample
CRIMSON.rar
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
CRIMSON.rar
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
CRIMSON/Bin/Xeno.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
CRIMSON/Bin/Xeno.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
CRIMSON/Bin/libcrypto-3-x64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
CRIMSON/Bin/libcrypto-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
CRIMSON/Bin/libssl-3-x64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
CRIMSON/Bin/libssl-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
CRIMSON/Bin/xxhash.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
CRIMSON/Bin/xxhash.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
CRIMSON/Bin/zstd.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
CRIMSON/Bin/zstd.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
CRIMSON/Crimson Best.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
CRIMSON/Crimson Best.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
CRIMSON/FastColoredTextBox.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
CRIMSON/FastColoredTextBox.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
CRIMSON/Guna.UI2.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
CRIMSON/Guna.UI2.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
CRIMSON/Monaco/index.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
CRIMSON/Monaco/index.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
CRIMSON/Monaco/vs/base/worker/workerMain.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
CRIMSON/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
CRIMSON/Monaco/vs/basic-languages/bat/bat.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
CRIMSON/Monaco/vs/basic-languages/bat/bat.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
CRIMSON/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
CRIMSON/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
CRIMSON/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
CRIMSON/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
CRIMSON/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
CRIMSON/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
CRIMSON/Monaco/vs/basic-languages/csp/csp.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
CRIMSON/Monaco/vs/basic-languages/csp/csp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
CRIMSON/Crimson Best.exe
-
Size
133KB
-
MD5
f71cdf848c5ca76ad9e6e879a3cb20d2
-
SHA1
ecb7ccbdca1d33430af3bfa40237d93e74a0a6a4
-
SHA256
1bf439d985e2e046c34d469d83545d4b760ca21c1f25253e35c3d7000a0c7787
-
SHA512
47a66cd6c2a0eff0a3a79bf9cc1bb201032fd0913c35fab311c7c6e601a1e768656b47092294c552f9bc867cef1e28e8a945d1dca85494964f385f753daca811
-
SSDEEP
3072:D46omPF4ZWeDwYW5CuQkj54kmqshAcmhcn:DahhUMunn7InQ
Malware Config
Signatures
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer Crimson Best.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion Crimson Best.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main Crimson Best.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Crimson Best.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe 2736 Crimson Best.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2736 Crimson Best.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2736 Crimson Best.exe 2736 Crimson Best.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\CRIMSON\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\CRIMSON\Crimson Best.exe"1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2736