Overview

overview

10

Static

static

NEW SC.cmd.exe

windows7_x64

10

NEW SC.cmd.exe

windows10_x64

10

Resubmissions

17-02-2021 19:37

210217-gyxbqal2ys 3

01-12-2020 14:48

201201-b4k57571mn 10

Analysis

  • max time kernel
    150s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01-12-2020 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW SC.cmd.exe

  • Size

    14KB

  • MD5

    870ffbc1a133083f10fadf93cf28f706

  • SHA1

    eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b

  • SHA256

    f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

  • SHA512

    f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

Score
10/10
hiveratevasionpersistenceratstealertrojan

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Windows security bypass 2 TTPs
    evasiontrojan
  • HiveRAT Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 9 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 53 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1840
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 4.638
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4.638
        3⤵
        • Delays execution with timeout.exe
        PID:1740
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:664
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1520
    • C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
        3⤵
        • Adds Run key to start application
        PID:904
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        3⤵
          PID:980
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 500 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
          3⤵
          • Deletes itself
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 1 -w 500
            4⤵
            • Runs ping.exe
            PID:2268
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
        2⤵
        • Adds Run key to start application
        PID:1904

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/664-25-0x0000000002610000-0x0000000002611000-memory.dmp

      Filesize

      4KB

      Download

    • memory/664-13-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/780-15-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1520-16-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1520-29-0x0000000004950000-0x0000000004951000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1532-35-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1532-33-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1532-36-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1532-37-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1684-17-0x0000000000F30000-0x0000000000F31000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-42-0x0000000005650000-0x0000000005651000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-67-0x0000000006110000-0x0000000006111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-59-0x0000000006240000-0x0000000006241000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-83-0x0000000006300000-0x0000000006301000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-84-0x0000000006310000-0x0000000006311000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-51-0x00000000061B0000-0x00000000061B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-49-0x00000000056B0000-0x00000000056B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1684-14-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1684-21-0x0000000004970000-0x0000000004971000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1840-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1840-7-0x0000000005CC0000-0x0000000005DC1000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1840-3-0x00000000000D0000-0x00000000000D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1904-71-0x00000000026C0000-0x00000000026C4000-memory.dmp

      Filesize

      16KB

      Download