Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
15-04-2022 16:06
General
-
Target
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
-
Size
644KB
-
MD5
d913182c7a9dd8a042fd88ea903f5ce2
-
SHA1
c2a7ed80c53cc53f0dd82f54f3585f064c144e1f
-
SHA256
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f
-
SHA512
f2fc1446f4d96d3e1f875f78d7cfc82906845e42892648bea96899688eaae8c81bf98fd3cbf8a1bb7fa483a53c2ab4e21e3ad3c4b0a83d2e27a62ff215a007de
Malware Config
Signatures
-
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
-
HiveRAT Payload 10 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs3⤵
-
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"2⤵
- Adds Run key to start application
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
514B
MD56fbcefb8b324ce783f73b19a810f1297
SHA134280ec0bb93b843b02dd44847d3977aed67b99a
SHA256b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378
SHA51200cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0
-
Filesize
1KB
MD53de8c14ec96ec303edb27a3d7621fb7c
SHA1fe5e3b9dce8e9642f18a889f907ffd9b2b96457d
SHA256d1ca0e5dbe3e15164cf809c0822d535a2e02cbd7db620fe8d4970f6b5e24553b
SHA512ee1c9714f7a222ab3bccac737f8416ffb73e925855e5c204e248a8dc6db0141b50115276e51116b7d481e9bb1eaa206ebed5dbd0249ba3bf0f3bd2aedd559049
-
Filesize
656KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
5.2MB
-
Filesize
624KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
336KB
-
Filesize
408KB