Overview

overview

10

Static

static

NEW SC.cmd.exe

windows7_x64

10

NEW SC.cmd.exe

windows10_x64

10

Resubmissions

17-02-2021 19:37

210217-gyxbqal2ys 3

01-12-2020 14:48

201201-b4k57571mn 10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-12-2020 14:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW SC.cmd.exe

  • Size

    14KB

  • MD5

    870ffbc1a133083f10fadf93cf28f706

  • SHA1

    eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b

  • SHA256

    f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35

  • SHA512

    f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b

Score
10/10
hiveratevasionpersistenceratstealertrojan

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • HiveRAT Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c timeout 4.638
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3632
      • C:\Windows\SysWOW64\timeout.exe
        timeout 4.638
        3⤵
        • Delays execution with timeout.exe
        PID:4200
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4328
    • C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
      2⤵
        PID:2376
      • C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe
        "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"
        2⤵
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2476
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
          3⤵
            PID:1256
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
            3⤵
              PID:4320
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1448
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
            2⤵
            • Adds Run key to start application
            PID:4516

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Execution.vbs
          MD5

          5d714082ad8fee00bc16741de8e79fdf

          SHA1

          b4eb28a309103dbb49e77a06a6d5dacaef1af70c

          SHA256

          8d5e64e451d157e463e81a1bb013b6aa96bdad0bf15103d8560628c0e038d38b

          SHA512

          5bb0983e2db9acbdd317091313b68db8fb0eb531f2cad4dd2fd4ff2bc2bf64abe8e5d327839a1c212ebffe46c5f448ec7154334b267e3e91767ac98292ff51f5

          Download Submit

        • C:\Users\Admin\AppData\Local\Execution2.vbs
          MD5

          458841d642abb8d0ca9d4d18daaf8cd4

          SHA1

          f38e4a187ae5df2da29e2b63f33c62f5cbce45ac

          SHA256

          6a37a7f21cb1937bca4c31a9286f5f5d3b65826e86ea5b4b2bf5def1f2675244

          SHA512

          b8d5c588de619bb7ebe07c7490ff334c6985d1bf8c535d7df0c48c053abeba5b44336b4a4e2ffec50a737a4d50830888e57fe7b560ec8efb909a9cbe1ab24df1

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW SC.cmd.exe.log
          MD5

          df2fd19969dddc6b501510424ad56e6d

          SHA1

          5dc0554605376758094d0a099739317bcfd76b78

          SHA256

          73918a4e628877d0e24eecdfd0fd1306b6f5e15c0d9d49a996a81f920a99d05d

          SHA512

          d65586af8033862682bc6689f381e79d985c63516fe9335fa81e690fd4f23d92a3106f825604138f2ddbbd202477d9cf451fa0f6f70b1ec193e1d148021d8875

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
          MD5

          db01a2c1c7e70b2b038edf8ad5ad9826

          SHA1

          540217c647a73bad8d8a79e3a0f3998b5abd199b

          SHA256

          413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

          SHA512

          c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          53ec26f5a03fac917c51185a16960bb5

          SHA1

          9058c36f33fdfbae5d954308e6b062ae81aeb193

          SHA256

          76ad58e2e5154b84bddadf2df4118a80110844552b786102a698072e91ac0315

          SHA512

          c55237f6fd0d7f272d8e4e2e8b3733e6f7e82a7e351697f29efafbfd1f76b230f20d82a3f3040e4af3688d159701b6b2e085d08d48c5add4d056d07d4f9acaa8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          69964b5b631e80062987b44fd1eb00a4

          SHA1

          fddf2076d70631e5fd647e2495126d178857bddd

          SHA256

          fba42e04b0a2a05c3c1fbed5f789d190eec83e661911701c2d31af5580d17a67

          SHA512

          3c1556541b54bcec2da87a1099793874d95d0c74587c418532c5c308913b28fb29755c3eac0b5207c6704ab0d5460936ddd0c23f4d9a4bacc7d133993bdc656c

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
          MD5

          b0c0c918dd5ce1250f5766b767a51b70

          SHA1

          e0bd3e08aa3c730e568cf66c15199b8c4fde71bb

          SHA256

          db642d55cc078aa26b9b2561d80878f1efdefa07ac60fc8cba4f4a199a1ca8a2

          SHA512

          4833db81a34f1b6014be460ec495ac1b7b08d44079ba7b273ca43fe1c72cce441bced5980a7704a23abbd75d71e741522eb0f4096a55be771e977ab3300916a3

          Download Submit

        • memory/1256-66-0x0000000000000000-mapping.dmp

          Download

        • memory/1900-92-0x0000000009110000-0x0000000009111000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1900-13-0x0000000000000000-mapping.dmp

          Download

        • memory/1900-96-0x0000000009480000-0x0000000009481000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1900-18-0x0000000073E30000-0x000000007451E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1900-109-0x0000000009650000-0x0000000009651000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1900-71-0x0000000009350000-0x0000000009383000-memory.dmp

          Filesize

          204KB

          Download

        • memory/2476-51-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/2476-56-0x0000000073E30000-0x000000007451E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2476-63-0x00000000054F0000-0x00000000054F1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2476-53-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/2476-52-0x000000000044CD9E-mapping.dmp

          Download

        • memory/3244-11-0x0000000000000000-mapping.dmp

          Download

        • memory/3244-34-0x0000000007C50000-0x0000000007C51000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3244-123-0x0000000009590000-0x0000000009591000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3244-30-0x0000000007310000-0x0000000007311000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3244-19-0x00000000073B0000-0x00000000073B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3244-16-0x0000000006BB0000-0x0000000006BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3244-15-0x0000000073E30000-0x000000007451E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3632-6-0x0000000000000000-mapping.dmp

          Download

        • memory/4200-7-0x0000000000000000-mapping.dmp

          Download

        • memory/4280-45-0x0000000008890000-0x0000000008891000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4280-17-0x0000000073E30000-0x000000007451E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4280-115-0x0000000009900000-0x0000000009901000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4280-43-0x0000000007FD0000-0x0000000007FD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4280-27-0x00000000075E0000-0x00000000075E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4280-12-0x0000000000000000-mapping.dmp

          Download

        • memory/4280-54-0x00000000086A0000-0x00000000086A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4320-67-0x0000000000000000-mapping.dmp

          Download

        • memory/4328-14-0x0000000000000000-mapping.dmp

          Download

        • memory/4328-24-0x0000000073E30000-0x000000007451E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4516-86-0x0000000000000000-mapping.dmp

          Download

        • memory/4644-2-0x0000000073E30000-0x000000007451E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4644-10-0x0000000009490000-0x0000000009491000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4644-9-0x0000000009920000-0x0000000009921000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4644-8-0x0000000007070000-0x0000000007171000-memory.dmp

          Filesize

          1.0MB

          Download

        • memory/4644-5-0x00000000050E0000-0x00000000050E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4644-3-0x00000000007C0000-0x00000000007C1000-memory.dmp

          Filesize

          4KB

          Download