Analysis Overview
SHA256
1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd
Threat Level: Known bad
The file 1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Adds Run key to start application
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-11 02:38
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-11 02:38
Reported
2022-05-11 04:01
Platform
win10v2004-20220414-en
Max time kernel
62s
Max time network
129s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1844 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 1844 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 1844 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
| PID 1844 wrote to memory of 4092 | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe
"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 20.50.73.9:443 | tcp | |
| BE | 8.238.110.126:80 | tcp | |
| BE | 8.238.110.126:80 | tcp |
Files
memory/1844-130-0x0000000000310000-0x0000000000372000-memory.dmp
memory/1844-131-0x0000000004CF0000-0x0000000004D8C000-memory.dmp
memory/1844-132-0x0000000009E10000-0x000000000A3B4000-memory.dmp
memory/1844-133-0x0000000009940000-0x00000000099D2000-memory.dmp
memory/1844-134-0x00000000060D0000-0x00000000060F2000-memory.dmp
memory/4092-135-0x0000000000000000-mapping.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-11 02:38
Reported
2022-05-11 04:00
Platform
win7-20220414-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Avast Essentialsq = "C:\\Users\\Admin\\AppData\\Roaming\\Avastr.exe" | C:\Windows\System32\WScript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1564 set thread context of 820 | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe
"C:\Users\Admin\AppData\Local\Temp\1818a00c19f6e851246823dc4bc7fbf7bfdfb1ad53dab20b572641770f3fc1bd.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1564 -s 1780
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | john0071.duckdns.org | udp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| US | 8.8.8.8:53 | www.ecb.int | udp |
| DE | 185.5.82.138:80 | www.ecb.int | tcp |
| DE | 185.5.82.138:443 | www.ecb.int | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| US | 8.8.8.8:53 | john0071.duckdns.org | udp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
| PK | 119.154.160.131:1515 | john0071.duckdns.org | tcp |
Files
memory/1564-54-0x0000000000350000-0x00000000003B2000-memory.dmp
memory/1564-55-0x0000000075CD1000-0x0000000075CD3000-memory.dmp
memory/1564-56-0x0000000000560000-0x000000000058E000-memory.dmp
memory/1564-57-0x0000000000590000-0x00000000005C0000-memory.dmp
memory/1564-58-0x0000000000700000-0x0000000000718000-memory.dmp
memory/1564-59-0x0000000000730000-0x0000000000736000-memory.dmp
memory/820-60-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-61-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-64-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-65-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-66-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-67-0x000000000044CA7E-mapping.dmp
memory/820-69-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-71-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-75-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-74-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-76-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-80-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-84-0x0000000000400000-0x0000000000454000-memory.dmp
memory/820-85-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1760-92-0x0000000000000000-mapping.dmp
memory/1760-94-0x000000006C5A1000-0x000000006C5A3000-memory.dmp
memory/1888-95-0x000007FEFBE61000-0x000007FEFBE63000-memory.dmp
C:\Users\Admin\AppData\Local\Execution.vbs
| MD5 | 03fb16e9adeaba44143302d5f1059ab0 |
| SHA1 | 42270b26cffd20e44bdf6b985ab52600b64a3fca |
| SHA256 | 058ef8fa720792e6e130fd1a80752bb06e695d3c4fc8fc75d0f27deb5049e761 |
| SHA512 | 8dba4f8e94780a926200dce2d047cacd086f2bd1550bf0070583752d38828cb48dcfb45bb944095dca753ffb3d20570ee02df12d083a259f0a88973a6b4a6c21 |
memory/1924-97-0x0000000000000000-mapping.dmp
memory/1896-98-0x0000000000000000-mapping.dmp