Overview

overview

10

Static

static

BHC-PR/BHC...an.exe

windows7_x64

10

BHC-PR/BHC...an.exe

windows10_x64

10

BHC-PR/Bri...on.exe

windows7_x64

10

BHC-PR/Bri...on.exe

windows10_x64

10

BHC-PR/Bri...20.exe

windows7_x64

10

BHC-PR/Bri...20.exe

windows10_x64

10

BHC-PR/Bri...ts.exe

windows7_x64

10

BHC-PR/Bri...ts.exe

windows10_x64

10

BHC-PR/Bri...ls.exe

windows7_x64

10

BHC-PR/Bri...ls.exe

windows10_x64

10

BHC-PR/Bri...20.exe

windows7_x64

10

BHC-PR/Bri...20.exe

windows10_x64

10

Analysis

  • max time kernel
    124s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21/01/2022, 23:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe

  • Size

    267KB

  • MD5

    f6dab5861b5907b39004712c58bbfb04

  • SHA1

    d5e8b77806150ba31efd82e05db7e678a3f52874

  • SHA256

    567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274

  • SHA512

    b2dfc9ee64521d25a19e2867cf3446e06bde9c65988ff3e2924d8a8eee76f4553ba0cdc9e953f848d3c6a8e96d0d57874cb0df6fc94dc2402425d4634109e16c

Score
10/10
crimsonratrat

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

    ratcrimsonrat
  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Press Release - GREAT Debate Islamabad 2020.exe
    "C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Press Release - GREAT Debate Islamabad 2020.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Documents\British High Commission Press Release - GREAT Debate Islamabad 2020-03-.docx"
      2⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        3⤵
          PID:1304
      • C:\ProgramData\Hanthavra\rnthiavesa.exe
        "C:\ProgramData\Hanthavra\rnthiavesa.exe"
        2⤵
        • Executes dropped EXE
        PID:1928

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/368-57-0x00000000724B1000-0x00000000724B4000-memory.dmp

      Filesize

      12KB

      Download

    • memory/368-58-0x000000006FF31000-0x000000006FF33000-memory.dmp

      Filesize

      8KB

      Download

    • memory/368-59-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/368-60-0x0000000075B51000-0x0000000075B53000-memory.dmp

      Filesize

      8KB

      Download

    • memory/368-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1304-67-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1668-55-0x0000000002060000-0x0000000002062000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1668-56-0x0000000002066000-0x0000000002085000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1668-54-0x000007FEF2400000-0x000007FEF3496000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1928-64-0x000007FEF2400000-0x000007FEF3496000-memory.dmp

      Filesize

      16.6MB

      Download

    • memory/1928-65-0x0000000002890000-0x0000000002892000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1928-66-0x0000000002896000-0x00000000028B5000-memory.dmp

      Filesize

      124KB

      Download