Overview

overview

10

Static

static

04d5963e85...6d.exe

windows7_x64

10

04d5963e85...6d.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    164s
  • max time network
    165s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    26-03-2022 14:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe

  • Size

    334KB

  • MD5

    d0dc4b79447268d2d938a31447918a0e

  • SHA1

    a572d0f1d50245baa8f3da4ee8bd3865b8f6d0eb

  • SHA256

    04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d

  • SHA512

    17751c11420f789addcbedbf9fefd140c7b87ac0aa33cf883fa489638f4307bff06e26582601797132c26489d6b453f081e7cff60b761c38097bae3e594f9ae3

Score
10/10
hiveratpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • HiveRAT Payload 10 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
    "C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe
      "C:\Users\Admin\AppData\Local\Temp\04d5963e859229bb3c0bb76c311867a0fb150029bd580cdc22118eaabf17516d.exe"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4316
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4316 -s 804
        3⤵
        • Program crash
        PID:1824
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4316 -ip 4316
    1⤵
      PID:3272

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4316-147-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-136-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-152-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-151-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-141-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4316-150-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-138-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-140-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-142-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4316-143-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4936-134-0x00000000058C0000-0x0000000005952000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4936-130-0x0000000000F70000-0x0000000000FCA000-memory.dmp

      Filesize

      360KB

      Download

    • memory/4936-131-0x0000000005F40000-0x00000000064E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4936-133-0x0000000005A30000-0x0000000005A3A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4936-132-0x0000000005990000-0x0000000005A22000-memory.dmp

      Filesize

      584KB

      Download