Analysis

  • max time kernel
    161s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 23:00

General

  • Target

    BHC-PR/British High Commission Rhinnon Mills receipts.exe

  • Size

    706KB

  • MD5

    b3ec999208c86b7a635cc3d2474793ec

  • SHA1

    091603e621eb2f30a38464fae3a758be39f5beb8

  • SHA256

    93f2358f631d4bf5a1f16b40c5bb9479dbda492d6e96c2fd9760854d219faab1

  • SHA512

    74eda3e3b410e44773ac6ad4e54938bab9f306f1a1036c93e8d509a7419d400e0974dd585b4b7ee5e640477231fe1e73f24957662f12b98d6109478ab9b4cdf4

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills receipts.exe
    "C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills receipts.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Rhinnon Mills receipts-03-.pdf"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:284
    • C:\ProgramData\Hanthavra\rnthiavesa.exe
      "C:\ProgramData\Hanthavra\rnthiavesa.exe"
      2⤵
      • Executes dropped EXE
      PID:1508

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    d5783c974f54f8eb9ba0eb4396b04187

    SHA1

    f246f1db61947165aa25a7d7f04e1b231a867b99

    SHA256

    e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4

    SHA512

    9baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    d5783c974f54f8eb9ba0eb4396b04187

    SHA1

    f246f1db61947165aa25a7d7f04e1b231a867b99

    SHA256

    e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4

    SHA512

    9baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9

  • C:\Users\Admin\Documents\British High Commission Rhinnon Mills receipts-03-.pdf

    MD5

    e2c57ebe26729f9bd50b7338fe60b4c2

    SHA1

    bd0f0eae8d26da6bc61b167d2e71843524e8785b

    SHA256

    36527efca902242b058e77be936dbe382b1822a505de66596f118af382916a4e

    SHA512

    6583c07fe4355b502197510d1bd62ab45e8bd543195118f49074b7dff59743fbaa18b0db71a4b993adba60a59c2c70ac9d0628657397a6838479bd74e7d7ec8c

  • memory/284-57-0x0000000076041000-0x0000000076043000-memory.dmp

    Filesize

    8KB

  • memory/288-54-0x0000000000340000-0x00000000004C0000-memory.dmp

    Filesize

    1.5MB

  • memory/288-55-0x000007FEF2230000-0x000007FEF32C6000-memory.dmp

    Filesize

    16.6MB

  • memory/288-56-0x0000000000340000-0x00000000004C0000-memory.dmp

    Filesize

    1.5MB

  • memory/1508-61-0x0000000002A30000-0x0000000002A32000-memory.dmp

    Filesize

    8KB

  • memory/1508-62-0x000007FEF2230000-0x000007FEF32C6000-memory.dmp

    Filesize

    16.6MB

  • memory/1508-63-0x0000000002A36000-0x0000000002A55000-memory.dmp

    Filesize

    124KB