Overview
overview
10Static
static
BHC-PR/BHC...an.exe
windows7_x64
10BHC-PR/BHC...an.exe
windows10_x64
10BHC-PR/Bri...on.exe
windows7_x64
10BHC-PR/Bri...on.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10BHC-PR/Bri...ts.exe
windows7_x64
10BHC-PR/Bri...ts.exe
windows10_x64
10BHC-PR/Bri...ls.exe
windows7_x64
10BHC-PR/Bri...ls.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10Analysis
-
max time kernel
166s -
max time network
181s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-01-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
General
-
Target
BHC-PR/British High Commission Peter Emmerson.exe
-
Size
1006KB
-
MD5
c19114fc0d83113a32c5b22b8863dcc1
-
SHA1
3d3e58b4009c10d3a842a45925132e7482cfcdac
-
SHA256
c9cdd5a5b0701a4d311e0264f5bcec49fa500dde81ff8dbaa081be032b0c0446
-
SHA512
c8973c8055ea42c2ca50dffa743bde646de55eda3bc1c4b669cff05ac0f9cef5edccb9c735e5a2e9d88d2f9fd0e2c0e7b4cf538405cea39463e6a4a0feffd997
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
rnthiavesa.exepid process 740 rnthiavesa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
British High Commission Peter Emmerson.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings British High Commission Peter Emmerson.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AcroRd32.exepid process 1360 AcroRd32.exe 1360 AcroRd32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1360 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 1360 AcroRd32.exe 1360 AcroRd32.exe 1360 AcroRd32.exe 1360 AcroRd32.exe 1360 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
British High Commission Peter Emmerson.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 1904 wrote to memory of 1360 1904 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1904 wrote to memory of 1360 1904 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1904 wrote to memory of 1360 1904 British High Commission Peter Emmerson.exe AcroRd32.exe PID 1904 wrote to memory of 740 1904 British High Commission Peter Emmerson.exe rnthiavesa.exe PID 1904 wrote to memory of 740 1904 British High Commission Peter Emmerson.exe rnthiavesa.exe PID 1360 wrote to memory of 1676 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 1676 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 1676 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 900 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 900 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 900 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 3824 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 3824 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 3824 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 1984 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 1984 1360 AcroRd32.exe RdrCEF.exe PID 1360 wrote to memory of 1984 1360 AcroRd32.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3012 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3436 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3436 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3436 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3436 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3436 3824 RdrCEF.exe RdrCEF.exe PID 3824 wrote to memory of 3436 3824 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Peter Emmerson.exe"C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Peter Emmerson.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Peter Emmerson-03-.pdf"2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:1676
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:900
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C5D6B3C42109B9EFC4C0FA66E09E07E5 --mojo-platform-channel-handle=1644 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:24⤵PID:3012
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0F9C274A420A0FEEA265B08AB830B2FC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0F9C274A420A0FEEA265B08AB830B2FC --renderer-client-id=2 --mojo-platform-channel-handle=1672 --allow-no-sandbox-job /prefetch:14⤵PID:3436
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140433⤵PID:1984
-
C:\ProgramData\Hanthavra\rnthiavesa.exe"C:\ProgramData\Hanthavra\rnthiavesa.exe"2⤵
- Executes dropped EXE
PID:740
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
93e588df26c62a47d3564e58ec988368
SHA1fcd11555531f636245d4c03f151dceb62ba72f6e
SHA2566cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc
SHA5120f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef
-
MD5
93e588df26c62a47d3564e58ec988368
SHA1fcd11555531f636245d4c03f151dceb62ba72f6e
SHA2566cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc
SHA5120f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef
-
MD5
43a5a91e7e9f68bab5d7178f197e355d
SHA179a3c57cf80de41c8af841b70af3e7b8fcc8f0f6
SHA256c108ab6d3dc6d82f0295a879e8761c9e9177c53a00601e08b155da47e3674349
SHA512f922d339e91e4f66fdea5ab3205d5005536a4c37dbfadd27d98357da68e56ad84f9a14c1234efec8700bcf26fe78e6533e8edd8affb2c74da29ed6430ff732f4