Analysis

  • max time kernel
    132s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    21-01-2022 23:00

General

  • Target

    BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe

  • Size

    267KB

  • MD5

    f6dab5861b5907b39004712c58bbfb04

  • SHA1

    d5e8b77806150ba31efd82e05db7e678a3f52874

  • SHA256

    567b82c892f10a5cc6d0286c5777e7462cec7182eba81db7dd7de53d1e8d3274

  • SHA512

    b2dfc9ee64521d25a19e2867cf3446e06bde9c65988ff3e2924d8a8eee76f4553ba0cdc9e953f848d3c6a8e96d0d57874cb0df6fc94dc2402425d4634109e16c

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Press Release - GREAT Debate Islamabad 2020.exe
    "C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Press Release - GREAT Debate Islamabad 2020.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\British High Commission Press Release - GREAT Debate Islamabad 2020-03-.docx" /o ""
      2⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1460
    • C:\ProgramData\Hanthavra\rnthiavesa.exe
      "C:\ProgramData\Hanthavra\rnthiavesa.exe"
      2⤵
      • Executes dropped EXE
      PID:1316

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    93e588df26c62a47d3564e58ec988368

    SHA1

    fcd11555531f636245d4c03f151dceb62ba72f6e

    SHA256

    6cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc

    SHA512

    0f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    93e588df26c62a47d3564e58ec988368

    SHA1

    fcd11555531f636245d4c03f151dceb62ba72f6e

    SHA256

    6cecd33e717c607ce578942e35c020d7571a7db67ce9270f9dcff30018a666cc

    SHA512

    0f1f527eed767036dd6323fb5bfbf3e83fc7c2ef842c6d297742d536f8b1ae5b0b54a8ef83fe26f42916656feb0752badb6a39e63067a7dc6fe3e0797738a8ef

  • C:\Users\Admin\Documents\British High Commission Press Release - GREAT Debate Islamabad 2020-03-.docx

    MD5

    807aabe62a6ad47fe7eb5a25cdba1389

    SHA1

    a15f84ddf02e78767a0b04309ce218d25ac6bf54

    SHA256

    28952c0d58009a01c8f0b68b88f9a0945cfc8d7b2a5bd7a428dad0eab9fb97c8

    SHA512

    4c674d0eddf5ceda71fddfa529723bc6aed0b4113e36d5864ca0e21bd45ce9e8f2de0ada9421a64efbbf452d44012a326cb374c1734928eb1a3d100d919488b3

  • memory/1316-126-0x00000271EED50000-0x00000271EF6FA000-memory.dmp

    Filesize

    9.7MB

  • memory/1316-127-0x00000271F13A0000-0x00000271F13A2000-memory.dmp

    Filesize

    8KB

  • memory/1460-128-0x00007FFB00DC0000-0x00007FFB00DD0000-memory.dmp

    Filesize

    64KB

  • memory/1460-119-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-118-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-121-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-120-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-129-0x00007FFB00DC0000-0x00007FFB00DD0000-memory.dmp

    Filesize

    64KB

  • memory/1460-117-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-390-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-391-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-392-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/1460-393-0x00007FFB04400000-0x00007FFB04410000-memory.dmp

    Filesize

    64KB

  • memory/2620-116-0x0000000000860000-0x0000000000870000-memory.dmp

    Filesize

    64KB