Overview
overview
10Static
static
BHC-PR/BHC...an.exe
windows7_x64
10BHC-PR/BHC...an.exe
windows10_x64
10BHC-PR/Bri...on.exe
windows7_x64
10BHC-PR/Bri...on.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10BHC-PR/Bri...ts.exe
windows7_x64
10BHC-PR/Bri...ts.exe
windows10_x64
10BHC-PR/Bri...ls.exe
windows7_x64
10BHC-PR/Bri...ls.exe
windows10_x64
10BHC-PR/Bri...20.exe
windows7_x64
10BHC-PR/Bri...20.exe
windows10_x64
10Analysis
-
max time kernel
153s -
max time network
161s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 23:00
Static task
static1
Behavioral task
behavioral1
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
BHC-PR/BHC PR - British Airways Restarts Flights to Pakistan.exe
Resource
win10-en-20211208
Behavioral task
behavioral3
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
BHC-PR/British High Commission Peter Emmerson.exe
Resource
win10-en-20211208
Behavioral task
behavioral5
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
BHC-PR/British High Commission Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
Behavioral task
behavioral7
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
BHC-PR/British High Commission Rhinnon Mills receipts.exe
Resource
win10-en-20211208
Behavioral task
behavioral9
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
BHC-PR/British High Commission Rhinnon Mills.exe
Resource
win10-en-20211208
Behavioral task
behavioral11
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
BHC-PR/British High Commission Urdu Press Release - GREAT Debate Islamabad 2020.exe
Resource
win10-en-20211208
General
-
Target
BHC-PR/British High Commission Rhinnon Mills.exe
-
Size
687KB
-
MD5
41120771530675f31125936f630d7a67
-
SHA1
9f55015e9bfbb65f0a5b2ad8deaea1df67660fec
-
SHA256
1bf6dc9af6dd730120f598d02f139f5a7776993afe29679f83a3d2fda3599736
-
SHA512
62c4c55cf8b9c987c064300210ce746242565d4e3b0ff0008cbcf5fac4668e4cc14d007caa697dcb3774fb1ec679646cb4bff3f012ef0e104870277fcd5f7e58
Malware Config
Signatures
-
CrimsonRAT Main Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat C:\ProgramData\Hanthavra\rnthiavesa.exe family_crimsonrat -
CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
-
Executes dropped EXE 1 IoCs
Processes:
rnthiavesa.exepid process 644 rnthiavesa.exe -
Drops file in Program Files directory 2 IoCs
Processes:
British High Commission Rhinnon Mills.exedescription ioc process File created C:\PROGRA~3\HANTHA~1\rnthiavesa.exe British High Commission Rhinnon Mills.exe File opened for modification C:\PROGRA~3\HANTHA~1\rnthiavesa.exe British High Commission Rhinnon Mills.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 576 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe 576 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
British High Commission Rhinnon Mills.exedescription pid process target process PID 964 wrote to memory of 576 964 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 964 wrote to memory of 576 964 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 964 wrote to memory of 576 964 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 964 wrote to memory of 576 964 British High Commission Rhinnon Mills.exe AcroRd32.exe PID 964 wrote to memory of 644 964 British High Commission Rhinnon Mills.exe rnthiavesa.exe PID 964 wrote to memory of 644 964 British High Commission Rhinnon Mills.exe rnthiavesa.exe PID 964 wrote to memory of 644 964 British High Commission Rhinnon Mills.exe rnthiavesa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills.exe"C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Rhinnon Mills-03-.pdf"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:576 -
C:\ProgramData\Hanthavra\rnthiavesa.exe"C:\ProgramData\Hanthavra\rnthiavesa.exe"2⤵
- Executes dropped EXE
PID:644
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d5783c974f54f8eb9ba0eb4396b04187
SHA1f246f1db61947165aa25a7d7f04e1b231a867b99
SHA256e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
SHA5129baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9
-
MD5
d5783c974f54f8eb9ba0eb4396b04187
SHA1f246f1db61947165aa25a7d7f04e1b231a867b99
SHA256e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4
SHA5129baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9
-
MD5
a96410ba91ef5bd64dbce071231038c2
SHA193c8ad8b0fee63f0e32bf8ddd88eae16c9d79457
SHA2566e586f96cfb66b2f05d27cdded7086563c62f9c32ba46c3273a22ec3a5bb23ff
SHA5126b97e6e42e4bdaa752334814153d5b4639388e4c6832be77ae562ce86fb4ef5e35c88ea3966a0560c664af8be191f9cc29a4ad7d12e5fa41c894cca4b404d58a