Overview

overview

10

Static

static

93eb342b1d...63.exe

windows7_x64

10

93eb342b1d...63.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    03-05-2022 20:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe

  • Size

    440KB

  • MD5

    18173a14dda8acb4faec79500b81083f

  • SHA1

    0a5324267c4d4befdd89add3c1d8d9c467a85902

  • SHA256

    93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063

  • SHA512

    aa3fc2bf78430ead7177592c58dccaa5fd4ad001e19d195d5fd387b791414c9aad39fb8ea7aff5c303a12f37fc4a94f094de18f7de8119deb890814526c5187a

Score
10/10
hiveratpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 10 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe
    "C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4504
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        3⤵
          PID:824
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
        2⤵
        • Adds Run key to start application
        PID:2488

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Execution.vbs
      Filesize

      524B

      MD5

      e3019120295b6178f061cfe4baeed5ba

      SHA1

      72009d5905db5431bc089533ebb76021cbaa611c

      SHA256

      e35f85ac0d9275bf3750e08b9c46229a90afc486827f6284d0e82fba969bc88b

      SHA512

      c0eac0bbfbca877fb072d5526a30f87be4bb1be5bee35a4866052e406f953ff764da001a671a8218126c55893a61bf7546c15b6db2bbd3917f78b7f44fbb73b4

      Download Submit

    • memory/824-159-0x0000000000000000-mapping.dmp

      Download

    • memory/2488-161-0x0000000000000000-mapping.dmp

      Download

    • memory/4504-142-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-147-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-135-0x0000000000000000-mapping.dmp

      Download

    • memory/4504-136-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-138-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-141-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-140-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-158-0x00000000057C0000-0x0000000005826000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4504-143-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-151-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-150-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4504-152-0x0000000000400000-0x0000000000454000-memory.dmp

      Filesize

      336KB

      Download

    • memory/4908-134-0x0000000007CC0000-0x0000000007CE2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4908-130-0x0000000000500000-0x0000000000574000-memory.dmp

      Filesize

      464KB

      Download

    • memory/4908-133-0x0000000007830000-0x00000000078C2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4908-132-0x0000000007D00000-0x00000000082A4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4908-131-0x0000000004ED0000-0x0000000004F6C000-memory.dmp

      Filesize

      624KB

      Download