crimsonrat | fa3f7a4c1502f499a481b56f5e7c185876626e3d00110d84e09652f98b776aff

Analysis

max time kernel
129s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-11-2024 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe
Size

82KB
MD5

71168fd55a8d0cc983b653566d942efc
SHA1

732906708ad72b0f41bbe8937d2b2014758dd18a
SHA256

7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0
SHA512

fe374f46eb82c7bed927b48b45896ae3a0d118171e2be248905e2e14306e0c85ae4b34521b1c0af90cb2bb6f7fe45800d289ce36b4921067aeea3e9c2a9a0842
SSDEEP

768:569iQap3x5Mt/+E6kmzVmh8uVHI5432rufLRoYFIk1eUwHXPmI+mL:o9m5Mt/+EtmzVs8ui+3IyRbykUHfFh

Score

10^/10

crimsonrat rat

Malware Config

Extracted

Family

crimsonrat

172.245.247.112

Signatures

CrimsonRAT main payload 1 IoCs

Processes:

resource	yara_rule
behavioral14/files/0x000500000001a4b0-29.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat

Executes dropped EXE 1 IoCs

Processes:

nwrtharmas.exe

pid	Process
2296	nwrtharmas.exe

Drops file in Program Files directory 2 IoCs

Processes:

7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe

description	ioc	Process
File opened for modification	C:\PROGRA~3\Phinvdir\nwrtharmas.exe	7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe
File created	C:\PROGRA~3\Phinvdir\nwrtharmas.exe	7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe

description	pid	Process	procid_target
PID 1644 wrote to memory of 2296	1644	7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe	30
PID 1644 wrote to memory of 2296	1644	7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe	30
PID 1644 wrote to memory of 2296	1644	7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe	30

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe
"C:\Users\Admin\AppData\Local\Temp\7b931d48eafa703a99ca7f104daf9a7343b6f1161d49073b86f5a4700864d3f0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1644
- C:\ProgramData\Phinvdir\nwrtharmas.exe
  "C:\ProgramData\Phinvdir\nwrtharmas.exe"
  2⤵
  - Executes dropped EXE
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Phinvdir\nwrtharmas.exe

Filesize
9.6MB

MD5
1b6498447e05011c6909dba800800e2c

SHA1
c6fe30ead8e88ad15184738b659774d39e421294

SHA256
24a44d00f2eb4a33ab4eac3ee2a4e073c57a588af47055b45f26ed15fe64490e

SHA512
d0437f7bca04b1bd02c542d52feb8fb3d5fa974e4f339173aa623f05f633d480acedaab20c60f776d1a1be3bc0ddb64e132378f4368d59c54fd0db0ba35f56a9

Download Submit
C:\Users\Admin\AppData\Roaming\Phinvdir\aihdram.zip

Filesize
56KB

MD5
73e27034359edc3cdbcf2fabb4bb62f7

SHA1
9fa67130ec555fbf65de5fd5047f9573bef0e1bf

SHA256
fe2ef1da8fbcd0490601f30a0e0997ee1b42184a11f790b0f6bff6d17d8000d8

SHA512
2119125ce4ec289efc4bbf667402be9d91c717308b980ab270734747e2c51663fa62416f3e6b2dacf85d53e7fe3cf8061668d66f97470651ae92b917ad1d4119

Download Submit
memory/1644-0-0x000007FEF5B3E000-0x000007FEF5B3F000-memory.dmp

Filesize
4KB

Download
memory/1644-1-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-2-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-3-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/1644-30-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-31-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-33-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-32-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download
memory/2296-34-0x000007FEF5880000-0x000007FEF621D000-memory.dmp

Filesize
9.6MB

Download