Overview

overview

10

Static

static

2f26ea19a8...bf.exe

windows7_x64

10

2f26ea19a8...bf.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    28-02-2021 07:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe

  • Size

    743KB

  • MD5

    b9000bb1ebd5843afc9f524c5b2b4cb0

  • SHA1

    9ce98360d731abf87c11c535184c57095bdb70ce

  • SHA256

    2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf

  • SHA512

    e714c718a21cc2090c8b6d829dfa2c23d9543c37dbc9383b9c5126d071e98a389ef1a45fbf71087a2574a9defd23f3996eb50e3507fcc3acb786da1beb33cef5

Score
10/10
hiveratagilenetpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 4 IoCs
  • Executes dropped EXE 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe
    "C:\Users\Admin\AppData\Local\Temp\2f26ea19a8fdb167b8593e8eec03c37248b6e5008f0b9ee5fb7d326cbe6500bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:652
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
        3⤵
          PID:3628
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
          3⤵
          • Adds Run key to start application
          PID:2604
        • C:\Windows\SysWOW64\explorer.exe
          "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
          3⤵
            PID:3916
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3936
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
          2⤵
          • Adds Run key to start application
          PID:1212

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/652-6-0x00000000022F0000-0x00000000022FB000-memory.dmp

        Filesize

        44KB

        Download

      • memory/652-9-0x00000000048E1000-0x00000000048E2000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-10-0x0000000004E70000-0x0000000004E73000-memory.dmp

        Filesize

        12KB

        Download

      • memory/652-8-0x00000000050E0000-0x00000000050E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-7-0x00000000054F0000-0x00000000054F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-5-0x00000000048E0000-0x00000000048E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/652-2-0x0000000073FF0000-0x00000000746DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/652-3-0x0000000000040000-0x0000000000041000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-15-0x0000000073FF0000-0x00000000746DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1704-21-0x0000000005000000-0x0000000005001000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-22-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1704-23-0x0000000004D70000-0x0000000004D71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-20-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1704-16-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download

      • memory/1704-11-0x0000000000400000-0x0000000000454000-memory.dmp

        Filesize

        336KB

        Download