Analysis Overview
SHA256
dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0
Threat Level: Known bad
The file dacb1f83bda72e3242b9f541134724ff871ddbb671afb0698d357fafadf43ef0 was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Checks computer location settings
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Enumerates physical storage devices
Creates scheduled task(s)
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious behavior: EnumeratesProcesses
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-04-20 02:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-04-20 02:11
Reported
2022-04-20 02:15
Platform
win7-20220414-en
Max time kernel
152s
Max time network
172s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 888 set thread context of 2016 | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJRcDllTRTGck" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | mail.unalanguvenlik.com | udp |
| TR | 5.2.85.31:587 | mail.unalanguvenlik.com | tcp |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp |
Files
memory/888-54-0x0000000075D21000-0x0000000075D23000-memory.dmp
memory/888-55-0x00000000742D0000-0x000000007487B000-memory.dmp
memory/1332-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4B3.tmp
| MD5 | b1dd2d4ec04b955410498da31d3a0e18 |
| SHA1 | 6996b8973b0a1d12763b334b157b434a9162e7a2 |
| SHA256 | 4da63c1ff0a016eb7530d6ed1a14a0037853611e5648f1aee83251b6f37d69eb |
| SHA512 | 94c4ca175168d362d6c9d0c0f1db3aef2eaa14d824209f31da60911b5bac1ab00a93459c839560c2400c868036b847e756d455b049b3f74512b94296ecd5129e |
memory/2016-58-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-59-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-61-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-64-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-65-0x000000000044CAFE-mapping.dmp
memory/2016-67-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-69-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-74-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-75-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-79-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-84-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2016-90-0x00000000742D0000-0x000000007487B000-memory.dmp
memory/2016-91-0x0000000002106000-0x0000000002117000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-04-20 02:11
Reported
2022-04-20 02:14
Platform
win10v2004-20220414-en
Max time kernel
155s
Max time network
158s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4540 set thread context of 1104 | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O-00490585693.pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oJRcDllTRTGck" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.182.141.63:443 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| US | 209.197.3.8:80 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| US | 8.8.8.8:53 | mail.unalanguvenlik.com | udp |
| TR | 5.2.85.31:587 | mail.unalanguvenlik.com | tcp |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp | |
| DE | 79.134.225.37:30490 | tcp |
Files
memory/4540-130-0x0000000074C60000-0x0000000075211000-memory.dmp
memory/1424-131-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD107.tmp
| MD5 | 100b819ca9f5a6565c7e44f3da76c1fc |
| SHA1 | 0458692abc886d7a05093dd6e55d22c0b72a4eb5 |
| SHA256 | c027dd44af02222cca3d300cd748d63d086f370306fbcdeacf4bf066e79032bc |
| SHA512 | f35d9585dd86c9840c6a833d3deda55bafd9c5738ca2d017fc24a833ecbfbe60c022a968069dd41d8cd1b6a2d29aaf9d38094bea187dcdb8a651c995381c573b |
memory/1292-133-0x0000000000000000-mapping.dmp
memory/3972-134-0x0000000000000000-mapping.dmp
memory/1104-135-0x0000000000000000-mapping.dmp
memory/1104-136-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-138-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-139-0x0000000074C60000-0x0000000075211000-memory.dmp
memory/1104-141-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-142-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-143-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-144-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-148-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-151-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-153-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1104-152-0x0000000000400000-0x0000000000454000-memory.dmp