Analysis

  • max time kernel
    153s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    21-01-2022 23:00

General

  • Target

    BHC-PR/British High Commission Rhinnon Mills.exe

  • Size

    687KB

  • MD5

    41120771530675f31125936f630d7a67

  • SHA1

    9f55015e9bfbb65f0a5b2ad8deaea1df67660fec

  • SHA256

    1bf6dc9af6dd730120f598d02f139f5a7776993afe29679f83a3d2fda3599736

  • SHA512

    62c4c55cf8b9c987c064300210ce746242565d4e3b0ff0008cbcf5fac4668e4cc14d007caa697dcb3774fb1ec679646cb4bff3f012ef0e104870277fcd5f7e58

Score
10/10

Malware Config

Signatures

  • CrimsonRAT Main Payload 2 IoCs
  • CrimsonRat

    Crimson RAT is a malware linked to a Pakistani-linked threat actor.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills.exe
    "C:\Users\Admin\AppData\Local\Temp\BHC-PR\British High Commission Rhinnon Mills.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:964
    • C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
      "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\Documents\British High Commission Rhinnon Mills-03-.pdf"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      PID:576
    • C:\ProgramData\Hanthavra\rnthiavesa.exe
      "C:\ProgramData\Hanthavra\rnthiavesa.exe"
      2⤵
      • Executes dropped EXE
      PID:644

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    d5783c974f54f8eb9ba0eb4396b04187

    SHA1

    f246f1db61947165aa25a7d7f04e1b231a867b99

    SHA256

    e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4

    SHA512

    9baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9

  • C:\ProgramData\Hanthavra\rnthiavesa.exe

    MD5

    d5783c974f54f8eb9ba0eb4396b04187

    SHA1

    f246f1db61947165aa25a7d7f04e1b231a867b99

    SHA256

    e38ff03d54d40f4e10292d7cbd614f26f3af13d01ded95dc7c363b317a5d6dd4

    SHA512

    9baf895b24696d6b760925a34d1eb5ae6b6599601d3ed77d8cbae425bb57a1692c233ef6f67acf83332532ea39a6752e39375b7a0bfb4ab19e8a06e06fc86ce9

  • C:\Users\Admin\Documents\British High Commission Rhinnon Mills-03-.pdf

    MD5

    a96410ba91ef5bd64dbce071231038c2

    SHA1

    93c8ad8b0fee63f0e32bf8ddd88eae16c9d79457

    SHA256

    6e586f96cfb66b2f05d27cdded7086563c62f9c32ba46c3273a22ec3a5bb23ff

    SHA512

    6b97e6e42e4bdaa752334814153d5b4639388e4c6832be77ae562ce86fb4ef5e35c88ea3966a0560c664af8be191f9cc29a4ad7d12e5fa41c894cca4b404d58a

  • memory/576-57-0x0000000075D61000-0x0000000075D63000-memory.dmp

    Filesize

    8KB

  • memory/644-61-0x000007FEF1F20000-0x000007FEF2FB6000-memory.dmp

    Filesize

    16.6MB

  • memory/644-63-0x0000000002886000-0x00000000028A5000-memory.dmp

    Filesize

    124KB

  • memory/644-62-0x0000000002880000-0x0000000002882000-memory.dmp

    Filesize

    8KB

  • memory/964-54-0x0000000000990000-0x0000000000992000-memory.dmp

    Filesize

    8KB

  • memory/964-55-0x000007FEF1F20000-0x000007FEF2FB6000-memory.dmp

    Filesize

    16.6MB

  • memory/964-56-0x0000000000996000-0x00000000009B5000-memory.dmp

    Filesize

    124KB