Analysis
-
max time kernel
189s -
max time network
202s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
08-05-2022 06:15
Static task
static1
Behavioral task
behavioral1
Sample
87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe
-
Size
289KB
-
MD5
77b680976090d7a835d4b8fe78261bac
-
SHA1
a9362e3123fe9dd18bc252ba9c2620265227a63b
-
SHA256
87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d
-
SHA512
51850a8e64e2133caf4f558ac9bbaef62ef7b2291f8d7d7b0dc4fa0bf8cc309caf48d898e0bbc9e31dbd90d7c46616242c7f4fb88f6422fe918e30cdcc8cfa3e
Malware Config
Signatures
-
HiveRAT Payload 15 IoCs
resource yara_rule behavioral1/memory/1368-60-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-61-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-62-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-63-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-64-0x000000000044C97E-mapping.dmp family_hiverat behavioral1/memory/1368-66-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-68-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-70-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-71-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-72-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-73-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-77-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-81-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-80-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat behavioral1/memory/1368-82-0x0000000000400000-0x0000000000454000-memory.dmp family_hiverat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft.exe 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1720 set thread context of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 -
Suspicious behavior: EnumeratesProcesses 41 IoCs
pid Process 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1368 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe Token: SeDebugPrivilege 1368 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28 PID 1720 wrote to memory of 1368 1720 87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe"C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe"C:\Users\Admin\AppData\Local\Temp\87f368326e3250f12dd518b3b0dfe773a67f47f9bf3347678eec99bf2045ee1d.exe"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1368
-