Analysis Overview
SHA256
d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f
Threat Level: Known bad
The file d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies registry class
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-15 16:06
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-15 16:06
Reported
2022-04-15 18:42
Platform
win7-20220414-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 656 set thread context of 892 | N/A | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB7A.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 172.111.134.17:2807 | tcp | |
| US | 172.111.134.17:2807 | tcp | |
| US | 172.111.134.17:2807 | tcp |
Files
memory/656-54-0x0000000010120000-0x00000000101C4000-memory.dmp
memory/656-55-0x0000000000620000-0x000000000063C000-memory.dmp
memory/656-56-0x0000000008150000-0x00000000081F4000-memory.dmp
memory/1804-57-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpCB7A.tmp
| MD5 | 8ad59fa1cad4806aec0ae194207cf3b4 |
| SHA1 | 04926cbf019cdfe70ff25771a050bdfe9f52ca9c |
| SHA256 | 8b172aac84138d93e8e9b07fb8b39ddf4aad43cf3f428b9df6facbde1d63f5a1 |
| SHA512 | c571806603ab473f3c17def6031384c0c6e58b60fa048abff489811d0047582f96752145c00916c50624d4aa5fa41c0f34b121714e97b03bf164a5a7a604086d |
memory/892-59-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-60-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-64-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-65-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-66-0x000000000044CB1E-mapping.dmp
memory/892-68-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-74-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-75-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-79-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/892-84-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2040-90-0x0000000000000000-mapping.dmp
memory/2040-91-0x00000000755A1000-0x00000000755A3000-memory.dmp
memory/2040-92-0x000000006EA91000-0x000000006EA93000-memory.dmp
memory/1580-93-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp
C:\Users\Admin\AppData\Local\Execution.vbs
| MD5 | 6fbcefb8b324ce783f73b19a810f1297 |
| SHA1 | 34280ec0bb93b843b02dd44847d3977aed67b99a |
| SHA256 | b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378 |
| SHA512 | 00cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0 |
memory/1896-95-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-15 16:06
Reported
2022-04-15 18:42
Platform
win10v2004-20220414-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentials = "C:\\Users\\Admin\\AppData\\Roaming\\Avast.exe" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1756 set thread context of 3360 | N/A | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe
"C:\Users\Admin\AppData\Local\Temp\d734a95229f09cd5da88c9bbc0de8dffa9fe5d7b05408d15cf915b170e8da40f.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bgCYazeYwNyo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.179:80 | tcp | |
| NL | 88.221.144.179:80 | tcp | |
| US | 13.89.178.26:443 | tcp | |
| US | 172.111.134.17:2807 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| NL | 104.110.191.133:80 | tcp | |
| US | 172.111.134.17:2807 | tcp | |
| US | 172.111.134.17:2807 | tcp | |
| US | 172.111.134.17:2807 | tcp | |
| US | 172.111.134.17:2807 | tcp |
Files
memory/1756-130-0x0000000000E60000-0x0000000000F04000-memory.dmp
memory/1756-131-0x0000000005DF0000-0x0000000006394000-memory.dmp
memory/1756-132-0x00000000058E0000-0x0000000005972000-memory.dmp
memory/1756-133-0x00000000058B0000-0x00000000058BA000-memory.dmp
memory/1756-134-0x00000000096A0000-0x0000000009BCC000-memory.dmp
memory/1756-135-0x0000000009E20000-0x0000000009EBC000-memory.dmp
memory/2684-136-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp1369.tmp
| MD5 | 3de8c14ec96ec303edb27a3d7621fb7c |
| SHA1 | fe5e3b9dce8e9642f18a889f907ffd9b2b96457d |
| SHA256 | d1ca0e5dbe3e15164cf809c0822d535a2e02cbd7db620fe8d4970f6b5e24553b |
| SHA512 | ee1c9714f7a222ab3bccac737f8416ffb73e925855e5c204e248a8dc6db0141b50115276e51116b7d481e9bb1eaa206ebed5dbd0249ba3bf0f3bd2aedd559049 |
memory/3360-138-0x0000000000000000-mapping.dmp
memory/3360-139-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-141-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-143-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-144-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-145-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-146-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-150-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-153-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-154-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-155-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3360-161-0x0000000004E50000-0x0000000004EB6000-memory.dmp
memory/3704-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Execution.vbs
| MD5 | 6fbcefb8b324ce783f73b19a810f1297 |
| SHA1 | 34280ec0bb93b843b02dd44847d3977aed67b99a |
| SHA256 | b752575dc6f00086f146d1f22cd19f2b944117056afa8b3800e1e98ed9f47378 |
| SHA512 | 00cf9418d9c991ff6d6de021b8366f2ebb7e8c03a553b8ea72490445a7fba6d4f39ef7d9ff056e97087c286e72cfc5378f7befbb704a9434f09983d54c2440f0 |
memory/4792-164-0x0000000000000000-mapping.dmp