Analysis Overview
SHA256
4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd
Threat Level: Known bad
The file 4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Drops startup file
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-08 06:15
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-08 06:15
Reported
2022-05-08 08:33
Platform
win7-20220414-en
Max time kernel
188s
Max time network
213s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 936 set thread context of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
Files
memory/936-54-0x0000000000C50000-0x0000000000CA6000-memory.dmp
memory/936-55-0x0000000000BA0000-0x0000000000BDC000-memory.dmp
memory/936-56-0x00000000755C1000-0x00000000755C3000-memory.dmp
memory/1208-57-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-58-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-60-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-61-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-64-0x000000000044C93E-mapping.dmp
memory/1208-66-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-68-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-71-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-77-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-80-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1208-81-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-08 06:15
Reported
2022-05-08 08:33
Platform
win10v2004-20220414-en
Max time kernel
205s
Max time network
208s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Sys.exe | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 792 set thread context of 452 | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe
"C:\Users\Admin\AppData\Local\Temp\4c49b30cf4a26820a2f28c0484094613b2c683f1d501bacddc774195624d44cd.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 87.248.202.1:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| NL | 104.97.14.81:80 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| NL | 104.97.14.80:80 | tcp | |
| US | 20.42.65.89:443 | tcp | |
| US | 8.8.8.8:53 | 96.108.152.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
| US | 8.8.8.8:53 | local.urown.cloud | udp |
Files
memory/792-130-0x0000000000810000-0x0000000000866000-memory.dmp
memory/792-131-0x00000000058E0000-0x0000000005E84000-memory.dmp
memory/792-132-0x0000000005330000-0x00000000053C2000-memory.dmp
memory/792-133-0x00000000056B0000-0x000000000574C000-memory.dmp
memory/3936-134-0x0000000000000000-mapping.dmp
memory/452-135-0x0000000000000000-mapping.dmp
memory/452-136-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-138-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-140-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-141-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-142-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-143-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-147-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-150-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-151-0x0000000000400000-0x0000000000454000-memory.dmp
memory/452-152-0x0000000000400000-0x0000000000454000-memory.dmp
memory/792-158-0x0000000005550000-0x000000000555A000-memory.dmp
memory/452-159-0x0000000004F30000-0x0000000004F96000-memory.dmp