Malware Analysis Report

2025-01-18 16:18

Sample ID 241130-vdaqfaypdt
Target CrimsonRAT.exe
SHA256 dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba
Tags
crimsonrat rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

Threat Level: Known bad

The file CrimsonRAT.exe was found to be: Known bad.

Malicious Activity Summary

crimsonrat rat

CrimsonRAT main payload

CrimsonRat

Crimsonrat family

Checks computer location settings

Executes dropped EXE

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Uses Task Scheduler COM API

Uses Volume Shadow Copy WMI provider

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-30 16:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-30 16:51

Reported

2024-11-30 16:54

Platform

win7-20240708-en

Max time kernel

146s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"

Signatures

CrimsonRAT main payload

Description Indicator Process Target
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Crimsonrat family

crimsonrat

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~3\Hdlharas\dlrarhsiva.exe C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe N/A
File opened for modification C:\PROGRA~3\Hdlharas\dlrarhsiva.exe C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2356 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe C:\ProgramData\Hdlharas\dlrarhsiva.exe
PID 2356 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe C:\ProgramData\Hdlharas\dlrarhsiva.exe
PID 2356 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe C:\ProgramData\Hdlharas\dlrarhsiva.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe

"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

Network

Country Destination Domain Proto
FR 185.136.161.124:6128 tcp
FR 185.136.161.124:8761 tcp
FR 185.136.161.124:11614 tcp
FR 185.136.161.124:15822 tcp

Files

memory/2356-0-0x000007FEF5B63000-0x000007FEF5B64000-memory.dmp

memory/2356-1-0x0000000000A80000-0x0000000000A9E000-memory.dmp

memory/2356-2-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

C:\PROGRA~3\Hdlharas\mdkhm.zip

MD5 b635f6f767e485c7e17833411d567712
SHA1 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA256 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 64261d5f3b07671f15b7f10f2f78da3f
SHA1 d4f978177394024bb4d0e5b6b972a5f72f830181
SHA256 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA512 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

memory/2744-27-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2744-28-0x00000000009F0000-0x0000000001304000-memory.dmp

memory/2744-29-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2356-30-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

memory/2744-31-0x000007FEF5B60000-0x000007FEF654C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-30 16:51

Reported

2024-11-30 16:54

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"

Signatures

CrimsonRAT main payload

Description Indicator Process Target
N/A N/A N/A N/A

CrimsonRat

rat crimsonrat

Crimsonrat family

crimsonrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Hdlharas\dlrarhsiva.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4688 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe C:\ProgramData\Hdlharas\dlrarhsiva.exe
PID 4688 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe C:\ProgramData\Hdlharas\dlrarhsiva.exe

Processes

C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe

"C:\Users\Admin\AppData\Local\Temp\CrimsonRAT.exe"

C:\ProgramData\Hdlharas\dlrarhsiva.exe

"C:\ProgramData\Hdlharas\dlrarhsiva.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
FR 185.136.161.124:6128 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
FR 185.136.161.124:8761 tcp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
FR 185.136.161.124:11614 tcp
FR 185.136.161.124:15822 tcp

Files

memory/4688-0-0x00007FFD37FB3000-0x00007FFD37FB5000-memory.dmp

memory/4688-1-0x0000024A0BD70000-0x0000024A0BD8E000-memory.dmp

memory/4688-2-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

C:\ProgramData\Hdlharas\mdkhm.zip

MD5 b635f6f767e485c7e17833411d567712
SHA1 5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8
SHA256 6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e
SHA512 551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

C:\ProgramData\Hdlharas\dlrarhsiva.exe

MD5 64261d5f3b07671f15b7f10f2f78da3f
SHA1 d4f978177394024bb4d0e5b6b972a5f72f830181
SHA256 87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad
SHA512 3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

memory/2392-34-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

memory/2392-35-0x0000022315E60000-0x0000022316774000-memory.dmp

memory/2392-36-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

memory/4688-38-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp

memory/2392-39-0x00007FFD37FB0000-0x00007FFD38A71000-memory.dmp