Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 16:06
Static task
static1
Behavioral task
behavioral1
Sample
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
Resource
win10v2004-20220414-en
General
-
Target
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
-
Size
644KB
-
MD5
d913182c7a9dd8a042fd88ea903f5ce2
-
SHA1
c2a7ed80c53cc53f0dd82f54f3585f064c144e1f
-
SHA256
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f
-
SHA512
f2fc1446f4d96d3e1f875f78d7cfc82906845e42892648bea96899688eaae8c81bf98fd3cbf8a1bb7fa483a53c2ab4e21e3ad3c4b0a83d2e27a62ff215a007de
Malware Config
Signatures
-
HiveRAT Payload 10 IoCs
Processes:
resource yara_rule behavioral2/memory/3360-139-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-141-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-143-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-144-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-145-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-146-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-150-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-153-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-154-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral2/memory/3360-155-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
WScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe" WScript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exedescription pid process target process PID 1756 set thread context of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
explorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
MSBuild.exepid process 3360 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe Token: SeDebugPrivilege 3360 MSBuild.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exeMSBuild.exeexplorer.exedescription pid process target process PID 1756 wrote to memory of 2684 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe schtasks.exe PID 1756 wrote to memory of 2684 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe schtasks.exe PID 1756 wrote to memory of 2684 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe schtasks.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 1756 wrote to memory of 3360 1756 d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe MSBuild.exe PID 3360 wrote to memory of 3704 3360 MSBuild.exe explorer.exe PID 3360 wrote to memory of 3704 3360 MSBuild.exe explorer.exe PID 3360 wrote to memory of 3704 3360 MSBuild.exe explorer.exe PID 4128 wrote to memory of 4792 4128 explorer.exe WScript.exe PID 4128 wrote to memory of 4792 4128 explorer.exe WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp"2⤵
- Creates scheduled task(s)
PID:2684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs3⤵PID:3704
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
- Adds Run key to start application
PID:4792
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514B
MD56fbcefb8b324ce783f73b19a810f1297
SHA134280ec0bb93b843b02dd44847d3977aed67b99a
SHA256b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378
SHA51200cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0
-
Filesize
1KB
MD53de8c14ec96ec303edb27a3d7621fb7c
SHA1fe5e3b9dce8e9642f18a889f907ffd9b2b96457d
SHA256d1ca0e5dbe3e15164cf809c0822d535a2e02cbd7db620fe8d4970f6b5e24553b
SHA512ee1c9714f7a222ab3bccac737f8416ffb73e925855e5c204e248a8dc6db0141b50115276e51116b7d481e9bb1eaa206ebed5dbd0249ba3bf0f3bd2aedd559049