Overview
overview
7Static
static
3CRIMSON.rar
windows7-x64
7CRIMSON.rar
windows10-2004-x64
7CRIMSON/Bin/Xeno.dll
windows7-x64
1CRIMSON/Bin/Xeno.dll
windows10-2004-x64
1CRIMSON/Bi...64.dll
windows7-x64
1CRIMSON/Bi...64.dll
windows10-2004-x64
1CRIMSON/Bi...64.dll
windows7-x64
1CRIMSON/Bi...64.dll
windows10-2004-x64
1CRIMSON/Bi...sh.dll
windows7-x64
1CRIMSON/Bi...sh.dll
windows10-2004-x64
1CRIMSON/Bin/zstd.dll
windows7-x64
1CRIMSON/Bin/zstd.dll
windows10-2004-x64
1CRIMSON/Cr...st.exe
windows7-x64
6CRIMSON/Cr...st.exe
windows10-2004-x64
6CRIMSON/Fa...ox.dll
windows7-x64
1CRIMSON/Fa...ox.dll
windows10-2004-x64
1CRIMSON/Guna.UI2.dll
windows7-x64
1CRIMSON/Guna.UI2.dll
windows10-2004-x64
1CRIMSON/Mo...x.html
windows7-x64
3CRIMSON/Mo...x.html
windows10-2004-x64
3CRIMSON/Mo...ain.js
windows7-x64
3CRIMSON/Mo...ain.js
windows10-2004-x64
3CRIMSON/Mo...bat.js
windows7-x64
3CRIMSON/Mo...bat.js
windows10-2004-x64
3CRIMSON/Mo...fee.js
windows7-x64
3CRIMSON/Mo...fee.js
windows10-2004-x64
3CRIMSON/Mo...cpp.js
windows7-x64
3CRIMSON/Mo...cpp.js
windows10-2004-x64
3CRIMSON/Mo...arp.js
windows7-x64
3CRIMSON/Mo...arp.js
windows10-2004-x64
3CRIMSON/Mo...csp.js
windows7-x64
3CRIMSON/Mo...csp.js
windows10-2004-x64
3Analysis
-
max time kernel
53s -
max time network
48s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19/11/2024, 13:13
Static task
static1
Behavioral task
behavioral1
Sample
CRIMSON.rar
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
CRIMSON.rar
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
CRIMSON/Bin/Xeno.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
CRIMSON/Bin/Xeno.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
CRIMSON/Bin/libcrypto-3-x64.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
CRIMSON/Bin/libcrypto-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
CRIMSON/Bin/libssl-3-x64.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral8
Sample
CRIMSON/Bin/libssl-3-x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
CRIMSON/Bin/xxhash.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
CRIMSON/Bin/xxhash.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
CRIMSON/Bin/zstd.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral12
Sample
CRIMSON/Bin/zstd.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
CRIMSON/Crimson Best.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
CRIMSON/Crimson Best.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
CRIMSON/FastColoredTextBox.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral16
Sample
CRIMSON/FastColoredTextBox.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
CRIMSON/Guna.UI2.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
CRIMSON/Guna.UI2.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
CRIMSON/Monaco/index.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
CRIMSON/Monaco/index.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
CRIMSON/Monaco/vs/base/worker/workerMain.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
CRIMSON/Monaco/vs/base/worker/workerMain.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
CRIMSON/Monaco/vs/basic-languages/bat/bat.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
CRIMSON/Monaco/vs/basic-languages/bat/bat.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
CRIMSON/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
CRIMSON/Monaco/vs/basic-languages/coffee/coffee.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
CRIMSON/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
CRIMSON/Monaco/vs/basic-languages/cpp/cpp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
CRIMSON/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
CRIMSON/Monaco/vs/basic-languages/csharp/csharp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
CRIMSON/Monaco/vs/basic-languages/csp/csp.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
CRIMSON/Monaco/vs/basic-languages/csp/csp.js
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
CRIMSON.rar
-
Size
4.4MB
-
MD5
2b25769587217a2efbe211272f2865d3
-
SHA1
995f40036f7b4d9c6e67e955c0e6398ef0f77b44
-
SHA256
486b1ff53fb896c08eb98df156d8e36a1c88285ee109c7f27adc0c41ef0762ea
-
SHA512
a1fdcda646c6e7beb208d281830208a7b115de39fd665e5505921439c889a06ac97004fee60f6e4520de908832eeb6c13f02876fbbdbe1f6d7f80eca595964c0
-
SSDEEP
98304:RbhxBeuogXXlZFXlJuMeKMHB2KEc3CcFYhAvbioai3ldVy:beuow1ZFVJl2B2Yljvbioy
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
pid Process 3292 Crimson Best.exe 3700 Crimson Best.exe 2956 Crimson Best.exe 2912 Crimson Best.exe 4304 Crimson Best.exe 2392 Crimson Best.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4384 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeRestorePrivilege 4384 7zFM.exe Token: 35 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe Token: SeSecurityPrivilege 4384 7zFM.exe -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe 4384 7zFM.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4384 wrote to memory of 3292 4384 7zFM.exe 97 PID 4384 wrote to memory of 3292 4384 7zFM.exe 97 PID 4384 wrote to memory of 3700 4384 7zFM.exe 102 PID 4384 wrote to memory of 3700 4384 7zFM.exe 102 PID 4384 wrote to memory of 2956 4384 7zFM.exe 105 PID 4384 wrote to memory of 2956 4384 7zFM.exe 105 PID 4384 wrote to memory of 2912 4384 7zFM.exe 108 PID 4384 wrote to memory of 2912 4384 7zFM.exe 108 PID 4384 wrote to memory of 4304 4384 7zFM.exe 111 PID 4384 wrote to memory of 4304 4384 7zFM.exe 111 PID 4384 wrote to memory of 2392 4384 7zFM.exe 114 PID 4384 wrote to memory of 2392 4384 7zFM.exe 114
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\CRIMSON.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\7zO021E5778\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\7zO021E5778\Crimson Best.exe"2⤵
- Executes dropped EXE
PID:3292
-
-
C:\Users\Admin\AppData\Local\Temp\7zO021B9E78\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\7zO021B9E78\Crimson Best.exe"2⤵
- Executes dropped EXE
PID:3700
-
-
C:\Users\Admin\AppData\Local\Temp\7zO02154878\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\7zO02154878\Crimson Best.exe"2⤵
- Executes dropped EXE
PID:2956
-
-
C:\Users\Admin\AppData\Local\Temp\7zO02197608\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\7zO02197608\Crimson Best.exe"2⤵
- Executes dropped EXE
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\7zO021A4408\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\7zO021A4408\Crimson Best.exe"2⤵
- Executes dropped EXE
PID:4304
-
-
C:\Users\Admin\AppData\Local\Temp\7zO0212E208\Crimson Best.exe"C:\Users\Admin\AppData\Local\Temp\7zO0212E208\Crimson Best.exe"2⤵
- Executes dropped EXE
PID:2392
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD5f71cdf848c5ca76ad9e6e879a3cb20d2
SHA1ecb7ccbdca1d33430af3bfa40237d93e74a0a6a4
SHA2561bf439d985e2e046c34d469d83545d4b760ca21c1f25253e35c3d7000a0c7787
SHA51247a66cd6c2a0eff0a3a79bf9cc1bb201032fd0913c35fab311c7c6e601a1e768656b47092294c552f9bc867cef1e28e8a945d1dca85494964f385f753daca811