Analysis Overview
SHA256
93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd
Threat Level: Known bad
The file 93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Beds Protector Packer
Drops startup file
Suspicious use of SetThreadContext
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-04-15 09:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 09:36
Reported
2022-04-15 12:31
Platform
win7-20220414-en
Max time kernel
150s
Max time network
75s
Command Line
Signatures
HiveRAT
Beds Protector Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1532 set thread context of 1196 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\89574.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\89574.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\89574.js"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
Files
memory/892-54-0x00000000002D0000-0x0000000000328000-memory.dmp
memory/892-55-0x0000000001F30000-0x0000000001F80000-memory.dmp
memory/1712-56-0x0000000000000000-mapping.dmp
memory/2024-57-0x0000000000000000-mapping.dmp
memory/2036-58-0x0000000000000000-mapping.dmp
memory/2036-59-0x00000000755C1000-0x00000000755C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\89574.js
| MD5 | 60c472e8bf90cafd98f3d298652cdd50 |
| SHA1 | 371bd260da522a1b4f893965cce08fa5d69618fa |
| SHA256 | b4f1fb692ecf9f619a45c28459c38a66f2b9ce923a181d7892c13f040806b634 |
| SHA512 | d5733e56ac0011bda134c7c61d0090a031f778805c539b89930d5a97673bfc52e3424fc4c6b374625a2a43c7ea7cc751e968aff84b3cde0015e117eaffe20b92 |
memory/664-61-0x0000000000000000-mapping.dmp
memory/2036-63-0x0000000073D00000-0x00000000742AB000-memory.dmp
memory/2036-64-0x00000000023F0000-0x000000000303A000-memory.dmp
memory/1532-65-0x0000000000000000-mapping.dmp
memory/1532-66-0x0000000000E40000-0x0000000000E98000-memory.dmp
memory/1196-67-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-68-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-71-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-74-0x000000000044C8DE-mapping.dmp
memory/1196-76-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-78-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-80-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-81-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-87-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-90-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-91-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1196-92-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 09:36
Reported
2022-04-15 12:30
Platform
win10v2004-20220414-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4312 set thread context of 3964 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Local\Temp\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\429731.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\429731.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe'
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\429731.js"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\93976f0e20d71604b9d3cb4de0046d874f763aa9ef701ef65feaa5d4a8152bdd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 93.184.220.29:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 20.189.173.9:443 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
| US | 8.8.8.8:53 | holis.plumfixa.com | udp |
Files
memory/2540-130-0x0000000000440000-0x0000000000498000-memory.dmp
memory/2540-131-0x0000000005400000-0x00000000059A4000-memory.dmp
memory/2540-132-0x0000000004E50000-0x0000000004EE2000-memory.dmp
memory/2540-133-0x0000000004F70000-0x0000000004FE6000-memory.dmp
memory/2540-134-0x0000000004F30000-0x0000000004F4E000-memory.dmp
memory/2540-135-0x0000000005260000-0x00000000052FC000-memory.dmp
memory/2540-136-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/3956-137-0x0000000000000000-mapping.dmp
memory/3128-138-0x0000000000000000-mapping.dmp
memory/3864-139-0x0000000000000000-mapping.dmp
memory/3864-140-0x0000000002D40000-0x0000000002D76000-memory.dmp
memory/3864-141-0x0000000005530000-0x0000000005B58000-memory.dmp
memory/3864-142-0x0000000005460000-0x0000000005482000-memory.dmp
memory/3864-143-0x0000000005C50000-0x0000000005CB6000-memory.dmp
memory/3864-144-0x0000000006310000-0x000000000632E000-memory.dmp
memory/3864-145-0x0000000002E95000-0x0000000002E97000-memory.dmp
memory/3864-146-0x0000000006870000-0x0000000006906000-memory.dmp
memory/3864-147-0x00000000067F0000-0x000000000680A000-memory.dmp
memory/3864-148-0x0000000006840000-0x0000000006862000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\429731.js
| MD5 | 60c472e8bf90cafd98f3d298652cdd50 |
| SHA1 | 371bd260da522a1b4f893965cce08fa5d69618fa |
| SHA256 | b4f1fb692ecf9f619a45c28459c38a66f2b9ce923a181d7892c13f040806b634 |
| SHA512 | d5733e56ac0011bda134c7c61d0090a031f778805c539b89930d5a97673bfc52e3424fc4c6b374625a2a43c7ea7cc751e968aff84b3cde0015e117eaffe20b92 |
memory/2136-150-0x0000000000000000-mapping.dmp
memory/3864-151-0x00000000086E0000-0x0000000008D5A000-memory.dmp
memory/4312-152-0x0000000000000000-mapping.dmp
memory/2076-153-0x0000000000000000-mapping.dmp
memory/3964-154-0x0000000000000000-mapping.dmp
memory/3964-155-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-157-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-160-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-161-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-162-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-159-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-166-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-169-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-170-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3964-171-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4312-174-0x0000000006A70000-0x0000000006A7A000-memory.dmp