Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
01-12-2020 14:48
General
-
Target
NEW SC.cmd.exe
-
Size
14KB
-
MD5
870ffbc1a133083f10fadf93cf28f706
-
SHA1
eddbe2346d62a6925634abd5dfe2d6f6b0ff3a5b
-
SHA256
f49c3157e749609acf89ae453958b7d4f1fc165941e6e998271b0caee1f0cf35
-
SHA512
f6b65b12ccadc42cfecc2130399cab9beadf4447dfbae09c523c3e7dc7eacf881be2d7590942f49e1270c3d8c3d793cfb293006696300c56ab5320b66d8f835b
Malware Config
Signatures
-
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Windows security bypass 2 TTPs
-
HiveRAT Payload 3 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Windows security modification 2 TTPs 11 IoCs
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of SetThreadContext 1 IoCs
-
Delays execution with timeout.exe 1 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 38 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 4.6382⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 4.6383⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NEW SC.cmd.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"C:\Users\Admin\AppData\Local\Temp\NEW SC.cmd.exe"2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"3⤵
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs3⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Execution.vbsMD5
5d714082ad8fee00bc16741de8e79fdf
SHA1b4eb28a309103dbb49e77a06a6d5dacaef1af70c
SHA2568d5e64e451d157e463e81a1bb013b6aa96bdad0bf15103d8560628c0e038d38b
SHA5125bb0983e2db9acbdd317091313b68db8fb0eb531f2cad4dd2fd4ff2bc2bf64abe8e5d327839a1c212ebffe46c5f448ec7154334b267e3e91767ac98292ff51f5
-
C:\Users\Admin\AppData\Local\Execution2.vbsMD5
458841d642abb8d0ca9d4d18daaf8cd4
SHA1f38e4a187ae5df2da29e2b63f33c62f5cbce45ac
SHA2566a37a7f21cb1937bca4c31a9286f5f5d3b65826e86ea5b4b2bf5def1f2675244
SHA512b8d5c588de619bb7ebe07c7490ff334c6985d1bf8c535d7df0c48c053abeba5b44336b4a4e2ffec50a737a4d50830888e57fe7b560ec8efb909a9cbe1ab24df1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NEW SC.cmd.exe.logMD5
df2fd19969dddc6b501510424ad56e6d
SHA15dc0554605376758094d0a099739317bcfd76b78
SHA25673918a4e628877d0e24eecdfd0fd1306b6f5e15c0d9d49a996a81f920a99d05d
SHA512d65586af8033862682bc6689f381e79d985c63516fe9335fa81e690fd4f23d92a3106f825604138f2ddbbd202477d9cf451fa0f6f70b1ec193e1d148021d8875
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
db01a2c1c7e70b2b038edf8ad5ad9826
SHA1540217c647a73bad8d8a79e3a0f3998b5abd199b
SHA256413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d
SHA512c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
53ec26f5a03fac917c51185a16960bb5
SHA19058c36f33fdfbae5d954308e6b062ae81aeb193
SHA25676ad58e2e5154b84bddadf2df4118a80110844552b786102a698072e91ac0315
SHA512c55237f6fd0d7f272d8e4e2e8b3733e6f7e82a7e351697f29efafbfd1f76b230f20d82a3f3040e4af3688d159701b6b2e085d08d48c5add4d056d07d4f9acaa8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
69964b5b631e80062987b44fd1eb00a4
SHA1fddf2076d70631e5fd647e2495126d178857bddd
SHA256fba42e04b0a2a05c3c1fbed5f789d190eec83e661911701c2d31af5580d17a67
SHA5123c1556541b54bcec2da87a1099793874d95d0c74587c418532c5c308913b28fb29755c3eac0b5207c6704ab0d5460936ddd0c23f4d9a4bacc7d133993bdc656c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b0c0c918dd5ce1250f5766b767a51b70
SHA1e0bd3e08aa3c730e568cf66c15199b8c4fde71bb
SHA256db642d55cc078aa26b9b2561d80878f1efdefa07ac60fc8cba4f4a199a1ca8a2
SHA5124833db81a34f1b6014be460ec495ac1b7b08d44079ba7b273ca43fe1c72cce441bced5980a7704a23abbd75d71e741522eb0f4096a55be771e977ab3300916a3
-
memory/1256-66-0x0000000000000000-mapping.dmp
-
memory/1900-92-0x0000000009110000-0x0000000009111000-memory.dmpFilesize
4KB
-
memory/1900-13-0x0000000000000000-mapping.dmp
-
memory/1900-96-0x0000000009480000-0x0000000009481000-memory.dmpFilesize
4KB
-
memory/1900-18-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/1900-109-0x0000000009650000-0x0000000009651000-memory.dmpFilesize
4KB
-
memory/1900-71-0x0000000009350000-0x0000000009383000-memory.dmpFilesize
204KB
-
memory/2476-51-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2476-56-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/2476-63-0x00000000054F0000-0x00000000054F1000-memory.dmpFilesize
4KB
-
memory/2476-53-0x0000000000400000-0x0000000000454000-memory.dmpFilesize
336KB
-
memory/2476-52-0x000000000044CD9E-mapping.dmp
-
memory/3244-11-0x0000000000000000-mapping.dmp
-
memory/3244-34-0x0000000007C50000-0x0000000007C51000-memory.dmpFilesize
4KB
-
memory/3244-123-0x0000000009590000-0x0000000009591000-memory.dmpFilesize
4KB
-
memory/3244-30-0x0000000007310000-0x0000000007311000-memory.dmpFilesize
4KB
-
memory/3244-19-0x00000000073B0000-0x00000000073B1000-memory.dmpFilesize
4KB
-
memory/3244-16-0x0000000006BB0000-0x0000000006BB1000-memory.dmpFilesize
4KB
-
memory/3244-15-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/3632-6-0x0000000000000000-mapping.dmp
-
memory/4200-7-0x0000000000000000-mapping.dmp
-
memory/4280-45-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/4280-17-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/4280-115-0x0000000009900000-0x0000000009901000-memory.dmpFilesize
4KB
-
memory/4280-43-0x0000000007FD0000-0x0000000007FD1000-memory.dmpFilesize
4KB
-
memory/4280-27-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/4280-12-0x0000000000000000-mapping.dmp
-
memory/4280-54-0x00000000086A0000-0x00000000086A1000-memory.dmpFilesize
4KB
-
memory/4320-67-0x0000000000000000-mapping.dmp
-
memory/4328-14-0x0000000000000000-mapping.dmp
-
memory/4328-24-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/4516-86-0x0000000000000000-mapping.dmp
-
memory/4644-2-0x0000000073E30000-0x000000007451E000-memory.dmpFilesize
6.9MB
-
memory/4644-10-0x0000000009490000-0x0000000009491000-memory.dmpFilesize
4KB
-
memory/4644-9-0x0000000009920000-0x0000000009921000-memory.dmpFilesize
4KB
-
memory/4644-8-0x0000000007070000-0x0000000007171000-memory.dmpFilesize
1.0MB
-
memory/4644-5-0x00000000050E0000-0x00000000050E1000-memory.dmpFilesize
4KB
-
memory/4644-3-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB