Analysis Overview
SHA256
93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063
Threat Level: Known bad
The file 93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063 was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-03 20:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-03 20:28
Reported
2022-05-03 20:30
Platform
win7-20220414-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\AvastEssentialse = "C:\\Users\\Admin\\AppData\\Roaming\\Avastae.exe" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 1472 | N/A | C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe
"C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | yosire.duckdns.org | udp |
| US | 8.8.8.8:53 | yosire.duckdns.org | udp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| US | 8.8.8.8:53 | yosire.duckdns.org | udp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
Files
memory/1672-54-0x0000000000EC0000-0x0000000000F34000-memory.dmp
memory/1672-55-0x00000000753B1000-0x00000000753B3000-memory.dmp
memory/1672-56-0x0000000000210000-0x0000000000230000-memory.dmp
memory/1672-57-0x00000000002C0000-0x00000000002E4000-memory.dmp
memory/1672-58-0x0000000000510000-0x0000000000522000-memory.dmp
memory/1472-59-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-60-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-64-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-65-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-66-0x000000000044C95E-mapping.dmp
memory/1472-68-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-74-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-75-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-79-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-84-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1472-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1696-91-0x0000000000000000-mapping.dmp
memory/1696-93-0x000000006F991000-0x000000006F993000-memory.dmp
memory/1712-94-0x000007FEFBAA1000-0x000007FEFBAA3000-memory.dmp
C:\Users\Admin\AppData\Local\Execution.vbs
| MD5 | e3019120295b6178f061cfe4baeed5ba |
| SHA1 | 72009d5905db5431bc089533ebb76021cbaa611c |
| SHA256 | e35f85ac0d9275bf3750e08b9c46229a90afc486827f6284d0e82fba969bc88b |
| SHA512 | c0eac0bbfbca877fb072d5526a30f87be4bb1be5bee35a4866052e406f953ff764da001a671a8218126c55893a61bf7546c15b6db2bbd3917f78b7f44fbb73b4 |
memory/444-96-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-03 20:28
Reported
2022-05-03 20:30
Platform
win10v2004-20220414-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\AvastEssentialse = "C:\\Users\\Admin\\AppData\\Roaming\\Avastae.exe" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4908 set thread context of 4504 | N/A | C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe
"C:\Users\Admin\AppData\Local\Temp\93eb342b1d21e99bfe5a88dfef65c886018dc120cd86310a893c77faeceb5063.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
Network
| Country | Destination | Domain | Proto |
| NL | 20.190.160.71:443 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 20.190.160.4:443 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.8.8.8:53 | yosire.duckdns.org | udp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| NL | 20.190.160.129:443 | tcp | |
| IE | 13.69.239.72:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| US | 8.248.21.254:80 | tcp | |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| NL | 20.190.160.73:443 | tcp | |
| US | 8.8.8.8:53 | 7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.2.0.0.0.0.2.0.1.3.0.6.2.ip6.arpa | udp |
| NL | 20.190.160.132:443 | tcp | |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| NL | 20.190.160.136:443 | tcp | |
| US | 8.8.8.8:53 | yosire.duckdns.org | udp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
| PK | 182.188.140.166:1515 | yosire.duckdns.org | tcp |
Files
memory/4908-130-0x0000000000500000-0x0000000000574000-memory.dmp
memory/4908-131-0x0000000004ED0000-0x0000000004F6C000-memory.dmp
memory/4908-132-0x0000000007D00000-0x00000000082A4000-memory.dmp
memory/4908-133-0x0000000007830000-0x00000000078C2000-memory.dmp
memory/4908-134-0x0000000007CC0000-0x0000000007CE2000-memory.dmp
memory/4504-135-0x0000000000000000-mapping.dmp
memory/4504-136-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-138-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-141-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-140-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-142-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-143-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-147-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-150-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-152-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-151-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4504-158-0x00000000057C0000-0x0000000005826000-memory.dmp
memory/824-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Execution.vbs
| MD5 | e3019120295b6178f061cfe4baeed5ba |
| SHA1 | 72009d5905db5431bc089533ebb76021cbaa611c |
| SHA256 | e35f85ac0d9275bf3750e08b9c46229a90afc486827f6284d0e82fba969bc88b |
| SHA512 | c0eac0bbfbca877fb072d5526a30f87be4bb1be5bee35a4866052e406f953ff764da001a671a8218126c55893a61bf7546c15b6db2bbd3917f78b7f44fbb73b4 |
memory/2488-161-0x0000000000000000-mapping.dmp