Overview

overview

10

Static

static

Booking Co...DF.exe

windows7_x64

10

Booking Co...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    29s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-11-2020 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking Confirmation 110420203251 - copy - PDF.exe

  • Size

    344KB

  • MD5

    f4f48519f108900933d0dd0e8aa1f40f

  • SHA1

    5a48020b486ab74eea85cf88d647dc2ba0994ace

  • SHA256

    f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

  • SHA512

    d02dc186871c344bddac7ae1a5c1e9c72014e106dfdbe1c565bf7a56ae052b10f7abb69f34010f5315752766bc40a86d1f9e20da2c8c70f7c0aef053ab3248a1

Score
10/10
hiveratratspywarestealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • HiveRAT Payload 4 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110420203251 - copy - PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110420203251 - copy - PDF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\670022.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Windows\SysWOW64\timeout.exe
        timeout 5
        3⤵
        • Delays execution with timeout.exe
        PID:744
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\670022.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1076
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\670022.js"
          4⤵
          • Suspicious behavior: RenamesItself
          PID:592
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe"
          4⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1472
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\670022.js
    MD5

    018d437947c7435c66fff115aeea1d8d

    SHA1

    cc6bb44e916b2f72f6713b91ba0dcb57dae2819a

    SHA256

    798dd36ffafe7ddca25dedcf2cb374c89f0baf94ebbee3e09200fa9be97bf25a

    SHA512

    ecfd0649423747188c45851a6706f695715f462bc006086249f9ec93e21234cc7ef315a8c78db9ec7f3ec203e4ab1dc7e5bd438b88a2e7e809ee48e6629c1d1b

    Download Submit
  • memory/592-35-0x00000000024D0000-0x00000000024D4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/592-33-0x0000000000000000-mapping.dmp
    Download
  • memory/744-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1028-45-0x00000000749F0000-0x00000000750DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1028-44-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1028-43-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1028-42-0x000000000044C7BE-mapping.dmp
    Download
  • memory/1028-41-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1076-8-0x0000000000B50000-0x0000000000B51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-34-0x00000000064E0000-0x00000000064E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-14-0x0000000006160000-0x0000000006161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-19-0x00000000061A0000-0x00000000061A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-20-0x00000000061F0000-0x00000000061F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-27-0x0000000006390000-0x0000000006391000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-10-0x0000000004700000-0x0000000004701000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-29-0x0000000006290000-0x0000000006291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-30-0x00000000062B0000-0x00000000062B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1076-31-0x0000000006290000-0x0000000006291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-9-0x0000000004770000-0x0000000004771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-11-0x0000000005340000-0x0000000005341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1076-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1076-7-0x00000000749F0000-0x00000000750DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1472-37-0x00000000749F0000-0x00000000750DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1472-38-0x0000000000A30000-0x0000000000A31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1472-36-0x0000000000000000-mapping.dmp
    Download
  • memory/1764-4-0x0000000000000000-mapping.dmp
    Download
  • memory/2036-0-0x0000000074EE0000-0x00000000755CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2036-3-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/2036-1-0x0000000000990000-0x0000000000991000-memory.dmp
    Filesize

    4KB

    Download