Malware Analysis Report

2024-10-24 16:30

Sample ID 220502-syd79aafgl
Target 6f783068f1ecfe069c05c77b74493323f6c8d4533eb1a07d20607c0e71f3c5f7
SHA256 6f783068f1ecfe069c05c77b74493323f6c8d4533eb1a07d20607c0e71f3c5f7
Tags
hiverat collection rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f783068f1ecfe069c05c77b74493323f6c8d4533eb1a07d20607c0e71f3c5f7

Threat Level: Known bad

The file 6f783068f1ecfe069c05c77b74493323f6c8d4533eb1a07d20607c0e71f3c5f7 was found to be: Known bad.

Malicious Activity Summary

hiverat collection rat stealer

HiveRAT

HiveRAT Payload

Checks computer location settings

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Creates scheduled task(s)

outlook_office_path

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-02 15:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-02 15:31

Reported

2022-05-02 16:14

Platform

win7-20220414-en

Max time kernel

152s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1692 set thread context of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1692 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-790309383-526510583-3802439154-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrQsKzeyFnDhV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp79D2.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
US 8.8.8.8:53 mail.unalanguvenlik.com udp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp

Files

memory/1692-54-0x0000000000B90000-0x0000000000C2C000-memory.dmp

memory/1692-55-0x0000000075951000-0x0000000075953000-memory.dmp

memory/1692-56-0x00000000002A0000-0x00000000002B0000-memory.dmp

memory/1692-57-0x0000000004D90000-0x0000000004E0A000-memory.dmp

memory/1692-58-0x0000000000A50000-0x0000000000AA2000-memory.dmp

memory/1720-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp79D2.tmp

MD5 659452c39565caeb2cb8c11a4a3df15d
SHA1 169d5f111111de5720f1e3b35d645e90df631dfc
SHA256 62ee1113e8dc700a9f04f149366ee1808b9e6fd8b5f30424f2ce087e2dd1e266
SHA512 3e9e814f2f932667590c5efd95e4cc195b85e7fd87cd3c275d25764a7fc4f449544ca88e4196f1dc5bd39584b02179eaade51b9046670b31342e18658e742e12

memory/1240-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-65-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-66-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-67-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-68-0x000000000044C85E-mapping.dmp

memory/1240-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-74-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-75-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-76-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-77-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-81-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-84-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-85-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-86-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1240-93-0x00000000043F5000-0x0000000004406000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-02 15:31

Reported

2022-05-02 16:14

Platform

win10v2004-20220414-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4304 set thread context of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4304 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe

"C:\Users\Admin\AppData\Local\Temp\P.O_0006983487302.pdf.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XrQsKzeyFnDhV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80B9.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 20.44.10.122:443 tcp
NL 8.248.7.254:80 tcp
US 8.8.8.8:53 mail.unalanguvenlik.com udp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
NL 8.248.7.254:80 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
US 8.8.8.8:53 mail.unalanguvenlik.com udp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp
DE 79.134.225.37:30490 tcp

Files

memory/4304-130-0x0000000000E90000-0x0000000000F2C000-memory.dmp

memory/4304-131-0x0000000005EB0000-0x0000000006454000-memory.dmp

memory/4304-132-0x0000000005900000-0x0000000005992000-memory.dmp

memory/4304-133-0x00000000059A0000-0x0000000005A3C000-memory.dmp

memory/4304-134-0x00000000058B0000-0x00000000058BA000-memory.dmp

memory/2904-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmp80B9.tmp

MD5 cd9f3a5d54121459a27c1b3227859391
SHA1 068b489367cd9dec82afc39f58635c8231937ee3
SHA256 e00aff33f962e6063369d090d0cd578217874f18b1ac550d85a446862a991beb
SHA512 f826befaea707c1591427f9fadb1a34e2962f83409f2b95e5ba0ab3e03e06124c090ef9549c6b4066a735e312c400af41edae36ff43097ce8c690f64937d7d08

memory/2488-137-0x0000000000000000-mapping.dmp

memory/2488-138-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-140-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-143-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-145-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-149-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-152-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-153-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-154-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2488-160-0x0000000005500000-0x0000000005566000-memory.dmp

memory/2488-161-0x0000000006A80000-0x0000000006AD0000-memory.dmp