Analysis Overview
SHA256
a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e
Threat Level: Known bad
The file a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e was found to be: Known bad.
Malicious Activity Summary
HiveRAT
Beds Protector Packer
HiveRAT Payload
Drops startup file
Suspicious use of SetThreadContext
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-01 23:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-01 23:25
Reported
2022-05-01 23:28
Platform
win7-20220414-en
Max time kernel
150s
Max time network
44s
Command Line
Signatures
HiveRAT
Beds Protector Packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYS.exe | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYS.exe | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2032 set thread context of 1488 | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
"C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe"
C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
"C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
Files
memory/2032-54-0x0000000000AD0000-0x0000000000B28000-memory.dmp
memory/2032-55-0x00000000003E0000-0x000000000042E000-memory.dmp
memory/2032-56-0x00000000759F1000-0x00000000759F3000-memory.dmp
memory/1488-57-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-58-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-60-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-61-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-64-0x000000000044C80E-mapping.dmp
memory/1488-66-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-68-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-71-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-77-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-80-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-81-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1488-82-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-01 23:25
Reported
2022-05-01 23:28
Platform
win10v2004-20220414-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYS.exe | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SYS.exe | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2300 set thread context of 1772 | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
"C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe"
C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe
"C:\Users\Admin\AppData\Local\Temp\a89f8ac927cabea259a47a4c7788e3daf95056913070fca186cbd80f35b9ba1e.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 8.248.1.254:80 | tcp | |
| US | 52.168.112.67:443 | tcp | |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| IE | 20.54.110.249:443 | tcp | |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | 97.97.242.52.in-addr.arpa | udp |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | 9.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.3.0.4.0.0.3.0.1.3.0.6.2.ip6.arpa | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | store-images.s-microsoft.com | udp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| US | 8.8.8.8:53 | tsfe.trafficshaping.dsp.mp.microsoft.com | udp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| NL | 104.123.41.133:80 | store-images.s-microsoft.com | tcp |
| IE | 20.54.110.119:443 | tsfe.trafficshaping.dsp.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | dl.delivery.mp.microsoft.com | udp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | tlu.dl.delivery.mp.microsoft.com | udp |
| US | 67.27.133.126:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 67.27.133.126:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 209.197.3.8:80 | dl.delivery.mp.microsoft.com | tcp |
| US | 67.27.133.126:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 67.27.133.126:80 | tlu.dl.delivery.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
| US | 8.8.8.8:53 | bambooo.dynu.net | udp |
Files
memory/2300-130-0x0000000000EC0000-0x0000000000F18000-memory.dmp
memory/2300-131-0x0000000005E20000-0x00000000063C4000-memory.dmp
memory/2300-132-0x0000000005910000-0x00000000059A2000-memory.dmp
memory/2300-133-0x0000000006570000-0x000000000660C000-memory.dmp
memory/1772-134-0x0000000000000000-mapping.dmp
memory/1772-135-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-137-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-139-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-140-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-142-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-143-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2300-141-0x00000000064F0000-0x00000000064FA000-memory.dmp
memory/1772-147-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-150-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-151-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-152-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1772-158-0x00000000057B0000-0x0000000005816000-memory.dmp