Overview

overview

10

Static

static

d734a95229...0f.exe

windows7_x64

10

d734a95229...0f.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    15-04-2022 16:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe

  • Size

    644KB

  • MD5

    d913182c7a9dd8a042fd88ea903f5ce2

  • SHA1

    c2a7ed80c53cc53f0dd82f54f3585f064c144e1f

  • SHA256

    d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f

  • SHA512

    f2fc1446f4d96d3e1f875f78d7cfc82906845e42892648bea96899688eaae8c81bf98fd3cbf8a1bb7fa483a53c2ab4e21e3ad3c4b0a83d2e27a62ff215a007de

Score
10/10
hiveratpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 15 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
    "C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:656
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB7A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1804
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
        PID:2032
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "{path}"
        2⤵
          PID:2036
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "{path}"
          2⤵
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:892
          • C:\Windows\SysWOW64\explorer.exe
            "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
            3⤵
              PID:2040
        • C:\Windows\explorer.exe
          C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1580
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
            2⤵
            • Adds Run key to start application
            PID:1896

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Execution.vbs
          Filesize

          514B

          MD5

          6fbcefb8b324ce783f73b19a810f1297

          SHA1

          34280ec0bb93b843b02dd44847d3977aed67b99a

          SHA256

          b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378

          SHA512

          00cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\tmpCB7A.tmp
          Filesize

          1KB

          MD5

          8ad59fa1cad4806aec0ae194207cf3b4

          SHA1

          04926cbf019cdfe70ff25771a050bdfe9f52ca9c

          SHA256

          8b172aac84138d93e8e9b07fb8b39ddf4aad43cf3f428b9df6facbde1d63f5a1

          SHA512

          c571806603ab473f3c17def6031384c0c6e58b60fa048abff489811d0047582f96752145c00916c50624d4aa5fa41c0f34b121714e97b03bf164a5a7a604086d

          Download Submit

        • memory/656-54-0x0000000010120000-0x00000000101C4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/656-55-0x0000000000620000-0x000000000063C000-memory.dmp

          Filesize

          112KB

          Download

        • memory/656-56-0x0000000008150000-0x00000000081F4000-memory.dmp

          Filesize

          656KB

          Download

        • memory/892-73-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-75-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-62-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-63-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-64-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-65-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-66-0x000000000044CB1E-mapping.dmp

          Download

        • memory/892-68-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-70-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-59-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-74-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-60-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-72-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-79-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-82-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-83-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/892-84-0x0000000000400000-0x0000000000454000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1580-93-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1804-57-0x0000000000000000-mapping.dmp

          Download

        • memory/1896-95-0x0000000000000000-mapping.dmp

          Download

        • memory/2040-90-0x0000000000000000-mapping.dmp

          Download

        • memory/2040-91-0x00000000755A1000-0x00000000755A3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/2040-92-0x000000006EA91000-0x000000006EA93000-memory.dmp

          Filesize

          8KB

          Download