Overview
overview
10Static
static
BHC-PR/BHC...an.exe
windows7_x64
10BHC-PR/BHC...an.exe
windows10_x64
10BHC-PR/Bri...on.exe
windows7_x64
10BHC-PR/Bri...on.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10BHC-PR/Bri...ts.exe
windows7_x64
10BHC-PR/Bri...ts.exe
windows10_x64
10BHC-PR/Bri...ls.exe
windows7_x64
10BHC-PR/Bri...ls.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10Analysis
-
max time kernel
161s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
General
-
Target
BHC-PR/British High Commission Rhinnon Mills receipts.exe
-
Size
706KB
-
MD5
b3ec999208c86b7a635cc3d2474793ec
-
SHA1
091603e621eb2f30a38464fae3a758be39f5beb8
-
SHA256
93f2358f631d4bf5a1f16b40c5bb9479dbda492d6e96c2fd9760854d219faab1
-
SHA512
74eda3e3b410e44773ac6ad4e54938bab9f306f1a1036c93e8d509a7419d400e0974dd585b4b7ee5e640477231fe1e73f24957662f12b98d6109478ab9b4cdf4
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
rnthiavesa.exepid process 1508 rnthiavesa.exe -
Drops file in Program Files directory 2 IoCs
Processes:
British High Commission Rhinnon Mills receipts.exedescription ioc process File created C:\PROGRA~3\HANTHA~1\rnthiavesa.exe British High Commission Rhinnon Mills receipts.exe File opened for modification C:\PROGRA~3\HANTHA~1\rnthiavesa.exe British High Commission Rhinnon Mills receipts.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 284 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 284 AcroRd32.exe 284 AcroRd32.exe 284 AcroRd32.exe 284 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
British High Commission Rhinnon Mills receipts.exedescription pid process target process PID 288 wrote to memory of 284 288 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 288 wrote to memory of 284 288 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 288 wrote to memory of 284 288 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 288 wrote to memory of 284 288 British High Commission Rhinnon Mills receipts.exe AcroRd32.exe PID 288 wrote to memory of 1508 288 British High Commission Rhinnon Mills receipts.exe rnthiavesa.exe PID 288 wrote to memory of 1508 288 British High Commission Rhinnon Mills receipts.exe rnthiavesa.exe PID 288 wrote to memory of 1508 288 British High Commission Rhinnon Mills receipts.exe rnthiavesa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills receipts.exe"C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills receipts.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Rhinnon Mills receipts-03-.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:284 -
C:\ProgramData\Hanthavra\rnthiavesa.exe"C:\ProgramData\Hanthavra\rnthiavesa.exe"2⤵
- Executes dropped EXE
PID:1508
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d5783c974f54f8eb9ba0eb4396b04187
SHA1f246f1db61947165aa25a7d7f04e1b231a867b99
SHA256e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
SHA5129baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9
-
MD5
d5783c974f54f8eb9ba0eb4396b04187
SHA1f246f1db61947165aa25a7d7f04e1b231a867b99
SHA256e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
SHA5129baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9
-
MD5
e2c57ebe26729f9bd50b7338fe60b4c2
SHA1bd0f0eae8d26da6bc61b167d2e71843524e8785b
SHA25636527efca902242b058e77be936dbe382b1822a505de66596f118af382916a4e
SHA5126583c07fe4355b502197510d1bd62ab45e8bd543195118f49074b7dff59743fbaa18b0db71a4b993adba60a59c2c70ac9d0628657397a6838479bd74e7d7ec8c