Overview
overview
10Static
static
BHC-PR/BHC...an.exe
windows7_x64
10BHC-PR/BHC...an.exe
windows10_x64
10BHC-PR/Bri...on.exe
windows7_x64
10BHC-PR/Bri...on.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10BHC-PR/Bri...ts.exe
windows7_x64
10BHC-PR/Bri...ts.exe
windows10_x64
10BHC-PR/Bri...ls.exe
windows7_x64
10BHC-PR/Bri...ls.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10Analysis
-
max time kernel
152s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
General
-
Target
BHC-PR/British High Commission Peter Emmerson.exe
-
Size
1006KB
-
MD5
c19114fc0d83113a32c5b22b8863dcc1
-
SHA1
3d3e58b4009c10d3a842a45925132e7482cfcdac
-
SHA256
c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446
-
SHA512
c8973c8055ea42c2ca50dffa743bde646de55eda3bc1c4b669cff05ac0f9cef5edccb9c735e5a2e9d88d2f9fd0e2c0e7b4cf538405cea39463e6a4a0feffd997
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
rnthiavesa.exepid process 1772 rnthiavesa.exe -
Drops file in Program Files directory 2 IoCs
Processes:
British High Commission Peter Emmerson.exedescription ioc process File created C:\PROGRA~3\HANTHA~1\rnthiavesa.exe British High Commission Peter Emmerson.exe File opened for modification C:\PROGRA~3\HANTHA~1\rnthiavesa.exe British High Commission Peter Emmerson.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 476 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 476 AcroRd32.exe 476 AcroRd32.exe 476 AcroRd32.exe 476 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
British High Commission Peter Emmerson.exedescription pid process target process PID 1668 wrote to memory of 476 1668 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1668 wrote to memory of 476 1668 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1668 wrote to memory of 476 1668 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1668 wrote to memory of 476 1668 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1668 wrote to memory of 1772 1668 British High Commission Peter Emmerson.exe rnthiavesa.exe PID 1668 wrote to memory of 1772 1668 British High Commission Peter Emmerson.exe rnthiavesa.exe PID 1668 wrote to memory of 1772 1668 British High Commission Peter Emmerson.exe rnthiavesa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Peter Emmerson.exe"C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Peter Emmerson.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Peter Emmerson-03-.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:476 -
C:\ProgramData\Hanthavra\rnthiavesa.exe"C:\ProgramData\Hanthavra\rnthiavesa.exe"2⤵
- Executes dropped EXE
PID:1772
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d5783c974f54f8eb9ba0eb4396b04187
SHA1f246f1db61947165aa25a7d7f04e1b231a867b99
SHA256e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
SHA5129baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9
-
MD5
d5783c974f54f8eb9ba0eb4396b04187
SHA1f246f1db61947165aa25a7d7f04e1b231a867b99
SHA256e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
SHA5129baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9
-
MD5
43a5a91e7e9f68bab5d7178f197e355d
SHA179a3c57cf80de41c8af841b70af3e7b8fcc8f0f6
SHA256c108ab6d3dc6d82f0295a879e8761c9e9177c53a00601e08b155da47e3674349
SHA512f922d339e91e4f66fdea5ab3205d5005536a4c37dbfadd27d98357da68e56ad84f9a14c1234efec8700bcf26fe78e6533e8edd8affb2c74da29ed6430ff732f4