Analysis
-
max time kernel
130s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
18-04-2022 11:54
Static task
static1
Behavioral task
behavioral1
Sample
f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe
-
Size
658KB
-
MD5
640951b3332d0b24cd9891c936f92de5
-
SHA1
2acf005cada97d7fe4aded561c69e631b3afb5b8
-
SHA256
f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa
-
SHA512
09f339ebbc6f2505550f43fa9d12fc5329c69a52ae343c78d629f864389787c9a35b3b6a81eee375d4f2fce0b76903cfa1b3fed98b9e88588720e38a1ae3e15b
Malware Config
Signatures
-
HiveRAT Payload 15 IoCs
resource yara_rule behavioral1/memory/2024-59-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-60-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-61-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-62-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-63-0x000000000044C91E-mapping.dmp family_hiverat behavioral1/memory/2024-65-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-67-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-69-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-70-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-71-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-72-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-76-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-79-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-80-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/2024-81-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SysApp.exe f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SysApp.exe f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1092 set thread context of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2024 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe Token: SeDebugPrivilege 2024 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27 PID 1092 wrote to memory of 2024 1092 f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"C:\Users\Admin\AppData\Local\Temp\f600e89eba0e7cedaa8637126cf7e900b28e7e2462ad84d4b0ff832c9ec173aa.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2024
-