Overview

overview

10

Static

static

Booking Co...DF.exe

windows7_x64

10

Booking Co...DF.exe

windows10_x64

10

Analysis

  • max time kernel
    34s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    05-11-2020 11:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking Confirmation 110420203251 - copy - PDF.exe

  • Size

    344KB

  • MD5

    f4f48519f108900933d0dd0e8aa1f40f

  • SHA1

    5a48020b486ab74eea85cf88d647dc2ba0994ace

  • SHA256

    f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

  • SHA512

    d02dc186871c344bddac7ae1a5c1e9c72014e106dfdbe1c565bf7a56ae052b10f7abb69f34010f5315752766bc40a86d1f9e20da2c8c70f7c0aef053ab3248a1

Score
10/10
hiveratratspywarestealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Beds Protector Packer 1 IoCs

    Detects Beds Protector packer used to load .NET malware.

  • HiveRAT Payload 3 IoCs
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110420203251 - copy - PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 110420203251 - copy - PDF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:508
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\696392.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3828
      • C:\Windows\SysWOW64\timeout.exe
        timeout 5
        3⤵
        • Delays execution with timeout.exe
        PID:3460
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\696392.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe'
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:200
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\696392.js"
          4⤵
          • Suspicious behavior: RenamesItself
          PID:2212
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe"
          4⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3944
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 110420203251 - copy - PDF.exe"
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

1
T1081

Discovery

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\696392.js
    MD5

    018d437947c7435c66fff115aeea1d8d

    SHA1

    cc6bb44e916b2f72f6713b91ba0dcb57dae2819a

    SHA256

    798dd36ffafe7ddca25dedcf2cb374c89f0baf94ebbee3e09200fa9be97bf25a

    SHA512

    ecfd0649423747188c45851a6706f695715f462bc006086249f9ec93e21234cc7ef315a8c78db9ec7f3ec203e4ab1dc7e5bd438b88a2e7e809ee48e6629c1d1b

    Download Submit
  • memory/200-27-0x000000000A160000-0x000000000A161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-13-0x00000000070A0000-0x00000000070A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-23-0x0000000008EB0000-0x0000000008EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-22-0x0000000008E40000-0x0000000008E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-21-0x0000000008F40000-0x0000000008F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-20-0x0000000008210000-0x0000000008211000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-19-0x00000000081C0000-0x00000000081C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-17-0x0000000007A20000-0x0000000007A21000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-10-0x0000000000000000-mapping.dmp
    Download
  • memory/200-11-0x00000000735E0000-0x0000000073CCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/200-12-0x00000000049A0000-0x00000000049A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-18-0x0000000007E70000-0x0000000007E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-14-0x0000000007710000-0x0000000007711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/200-15-0x0000000007990000-0x0000000007991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-1-0x00000000004D0000-0x00000000004D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-0-0x0000000073560000-0x0000000073C4E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/508-3-0x0000000005170000-0x0000000005171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-7-0x00000000050D0000-0x00000000050D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-6-0x0000000005030000-0x0000000005031000-memory.dmp
    Filesize

    4KB

    Download
  • memory/508-5-0x0000000004DF0000-0x0000000004E3B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/508-4-0x0000000004D50000-0x0000000004D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2212-26-0x0000000000000000-mapping.dmp
    Download
  • memory/3460-9-0x0000000000000000-mapping.dmp
    Download
  • memory/3828-8-0x0000000000000000-mapping.dmp
    Download
  • memory/3892-40-0x00000000735E0000-0x0000000073CCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3892-37-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/3892-38-0x000000000044C7BE-mapping.dmp
    Download
  • memory/3892-39-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

    Download
  • memory/3892-49-0x0000000008D60000-0x0000000008D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3944-28-0x0000000000000000-mapping.dmp
    Download
  • memory/3944-29-0x00000000735E0000-0x0000000073CCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3944-46-0x0000000006770000-0x0000000006771000-memory.dmp
    Filesize

    4KB

    Download