crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT[.]exe

Resubmissions

08-12-2024 17:07

241208-vm6t8svkgl 10

Analysis

max time kernel
132s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT.exe

Score

10^/10

crimsonrat discovery rat

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cba-206.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 10 IoCs

pid	Process
3516	CrimsonRAT.exe
2824	dlrarhsiva.exe
5248	CrimsonRAT.exe
5312	dlrarhsiva.exe
5732	CrimsonRAT.exe
5796	dlrarhsiva.exe
5908	CrimsonRAT.exe
5972	dlrarhsiva.exe
5068	CrimsonRAT.exe
4860	dlrarhsiva.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
42	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 568963.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
412	msedge.exe
412	msedge.exe
2632	identity_helper.exe
2632	identity_helper.exe
540	msedge.exe
540	msedge.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4852	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4852	taskmgr.exe
Token: SeSystemProfilePrivilege	4852	taskmgr.exe
Token: SeCreateGlobalPrivilege	4852	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe
4852	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 1560	412	msedge.exe	83
PID 412 wrote to memory of 1560	412	msedge.exe	83
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 3200	412	msedge.exe	84
PID 412 wrote to memory of 2436	412	msedge.exe	85
PID 412 wrote to memory of 2436	412	msedge.exe	85
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86
PID 412 wrote to memory of 4464	412	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/RAT/CrimsonRAT.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc825846f8,0x7ffc82584708,0x7ffc82584718
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2484 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:540
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3516
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:1048
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5248
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:5312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1509662247784200646,8063287524692580677,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5472 /prefetch:2
  2⤵
  PID:1180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5652

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5732
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:5796

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5908
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:5972

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5068
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4860

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\CrimsonRAT.exe.log

Filesize
1KB

MD5
2d2a235f1b0f4b608c5910673735494b

SHA1
23a63f6529bfdf917886ab8347092238db0423a0

SHA256
c897436c82fda9abf08b29fe05c42f4e59900116bbaf8bfd5b85ef3c97ab7884

SHA512
10684245497f1a115142d49b85000075eb36f360b59a0501e2f352c9f1d767c447c6c44c53a3fb3699402a15a8017bdbd2edd72d8599fdd4772e9e7cb67f3086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ab329e4181c89013a057247d1dd8e50a

SHA1
e7a3041b988e71a5a5e25ebd8721ede049379c11

SHA256
3a59a3b9022eb0bc171870d2686f1a78faf6665362adcadac9a3d2a1521116dd

SHA512
11b9ecb6015573135425594084f66f38f9c0c71ba8b420314120decdc65d9438634a42a359dfcca3f9334b9d1afdd72b64525b1bcfcd6d7a0c0cf1aed09b10fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0a8a7c3dafeb4ad3d8cb846fc95b8f1c

SHA1
69e2b994e6882e1e783410dae53181984050fa13

SHA256
a88495f2c1c26c6c1d5690a29289467c8bb8a94bf6f4801d2c14da1456773f90

SHA512
2e59b4cd4cf6f86537aae4ae88e56e21abcff5070c5c1d1d2105a8e863523c80740438cc36b2b57672bc7bb7fb9387896135afcce534edfd4697fecf61031a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2aecdab6aab191143840ea6427ef08e5

SHA1
76b0afd255d4360e0e52eeb2716f58d91c19f60d

SHA256
a79866c0a7f004e6b0d91db006dc00e6d11a652e81d195fe2ae188c15597142d

SHA512
c7ece31ebd6443c5c51aa9a0ea6d430bd6cf7f6c097f5c15435dd4069122f4e04ae807998fb8aec957fb3900773563d14a5688289726394c289e1d30f4983830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb62c0da105f5199b67d3d3af9c0cd15

SHA1
0419ac27ec6bb19473092c6ab2745dcaf8bc338b

SHA256
a7c9f7c32ff67ad955703a88e9e1fa3f2e1537487449cbe47f5f3cc17b218cd4

SHA512
4de7e6adfbd9c90d8a6d1007ca730d226b7e34e8c734807e3ed3e2fb90fcdc2620003f83b8ad2b20388b6bf0a56c5eab1010a4fad07b98ad876475c7e2a528a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9dcdf42e864a21bc51786186c7d46e0

SHA1
5e0c0610931865187827be1688b816a97370216b

SHA256
5f4790a6291d684d6d569c144f48afe354ad8ebd529b25a74ee126194d44ca56

SHA512
cdedd4f1ba7ccaa934176e93741b23fefb0e7a49cb09b1315507a7212dd1f7f619f68ab7a685357ef26b78dedb52ec67ca3f878c671fc81d7ced9070ab0f6bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c9d8.TMP

Filesize
1KB

MD5
eec2d254fd33fa28837ac95036ad571f

SHA1
2500e3594f25b55ce766b3a79dc31bed20b4a23c

SHA256
5ebd6cb005cbd7a90e56c7ffcc42f7e912f7b9eaf41fe82a0245a9c8fa0fe8b1

SHA512
7e5bcbb8f97588d0eaa489b0293916c22caa0f6f77e7aa508c3eec4fef62d85689a8fc02b7ff945e00081c75528ea3271cf8ea36296e8925b2d18d64a029e69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
260836e66c5a2b9a8bf880bdd6327282

SHA1
2d0eef6200ff3712599c389a2f63c1403b650bc9

SHA256
b6edf04087dfbe39192d46bc369884b1ded83f8a6f9f5656fbf47e870ea7b4b1

SHA512
a5e980bde4b85849a847e48dfd55a52c56d42ea4963225be88e77b47f50ad65fedd449fa38577011e25b427b0089dddedda353232914744c59de3c860cbbef4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ee70a367c96c4040e629ed180450bd9f

SHA1
c5c02e84630756dde44a0720e0cd86c0d18973a3

SHA256
d19c8f1c2826f0debb32bcdcdd426a15eb6531984f69357e864f34e58e290f79

SHA512
8e5d7b887daaca856e6134e3ee3be79e0740c229467a6b3296237400fd3e1f15c1b5719976ee8dca2d2245ef6b5803a59875399a678387efdc30d4bd210f33e8

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 568963.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
memory/2824-225-0x00000205BB360000-0x00000205BBC74000-memory.dmp

Filesize
9.1MB

Download
memory/3516-183-0x00000152A4F20000-0x00000152A4F3E000-memory.dmp

Filesize
120KB

Download
memory/4852-301-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-300-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-311-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-310-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-309-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-308-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-307-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-306-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-305-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download
memory/4852-299-0x000001D4B3D00000-0x000001D4B3D01000-memory.dmp

Filesize
4KB

Download