Analysis

  • max time kernel
    152s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 23:00

General

  • Target

    BHC-PR/British High Commission Peter Emmerson.exe

  • Size

    1006KB

  • MD5

    c19114fc0d83113a32c5b22b8863dcc1

  • SHA1

    3d3e58b4009c10d3a842a45925132e7482cfcdac

  • SHA256

    c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446

  • SHA512

    c8973c8055ea42c2ca50dffa743bde646de55eda3bc1c4b669cff05ac0f9cef5edccb9c735e5a2e9d88d2f9fd0e2c0e7b4cf538405cea39463e6a4a0feffd997

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Peter Emmerson.exe
    "C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Peter Emmerson.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Peter Emmerson-03-.pdf"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:476
    • C:\ProgramData\Hanthavra\rnthiavesa.exe
      "C:\ProgramData\Hanthavra\rnthiavesa.exe"
      2⤵
      • Executes dropped EXE
      PID:1772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    d5783c974f54f8eb9ba0eb4396b04187

    SHA1

    f246f1db61947165aa25a7d7f04e1b231a867b99

    SHA256

    e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4

    SHA512

    9baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    d5783c974f54f8eb9ba0eb4396b04187

    SHA1

    f246f1db61947165aa25a7d7f04e1b231a867b99

    SHA256

    e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4

    SHA512

    9baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9

  • C:\Users\Admin\Documents\British High Commission Peter Emmerson-03-.pdf

    MD5

    43a5a91e7e9f68bab5d7178f197e355d

    SHA1

    79a3c57cf80de41c8af841b70af3e7b8fcc8f0f6

    SHA256

    c108ab6d3dc6d82f0295a879e8761c9e9177c53a00601e08b155da47e3674349

    SHA512

    f922d339e91e4f66fdea5ab3205d5005536a4c37dbfadd27d98357da68e56ad84f9a14c1234efec8700bcf26fe78e6533e8edd8affb2c74da29ed6430ff732f4

  • memory/476-57-0x0000000075431000-0x0000000075433000-memory.dmp

    Filesize

    8KB

  • memory/1668-54-0x000007FEF2440000-0x000007FEF34D6000-memory.dmp

    Filesize

    16.6MB

  • memory/1668-55-0x0000000000A10000-0x0000000000A12000-memory.dmp

    Filesize

    8KB

  • memory/1668-56-0x0000000000A16000-0x0000000000A35000-memory.dmp

    Filesize

    124KB

  • memory/1772-61-0x000007FEF2440000-0x000007FEF34D6000-memory.dmp

    Filesize

    16.6MB

  • memory/1772-62-0x0000000000910000-0x0000000000912000-memory.dmp

    Filesize

    8KB

  • memory/1772-63-0x0000000000916000-0x0000000000935000-memory.dmp

    Filesize

    124KB