Resubmissions

17-02-2021 19:37

210217-gyxbqal2ys 3

01-12-2020 14:48

201201-b4k57571mn 10

General

  • Target

    NEW SC.cmd

  • Size

    14KB

  • Sample

    201201-b4k57571mn

  • MD5

    870ffbc1a133083f10fadf93cf28f706

  • SHA1

    eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b

  • SHA256

    f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

  • SHA512

    f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

Malware Config

Targets

    • Target

      NEW SC.cmd

    • Size

      14KB

    • MD5

      870ffbc1a133083f10fadf93cf28f706

    • SHA1

      eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b

    • SHA256

      f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

    • SHA512

      f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

    • HiveRAT

      HiveRAT is an improved version of FirebirdRAT with various capabilities.

    • Modifies WinLogon for persistence

    • Modifies Windows Defender Real-time Protection settings

    • Turns off Windows Defender SpyNet reporting

    • Windows security bypass

    • HiveRAT Payload

    • Looks for VirtualBox Guest Additions in registry

    • Looks for VMWare Tools registry key

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Deletes itself

    • Drops startup file

    • Windows security modification

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Enumerates physical storage devices

      Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

6
T1112

Disabling Security Tools

4
T1089

Virtualization/Sandbox Evasion

2
T1497

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Command and Control

Web Service

1
T1102

Tasks