Analysis Overview
SHA256
fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc
Threat Level: Known bad
The file fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc was found to be: Known bad.
Malicious Activity Summary
HiveRAT
HiveRAT Payload
Executes dropped EXE
Drops startup file
Loads dropped DLL
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2022-05-11 02:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-11 02:40
Reported
2022-05-11 04:04
Platform
win7-20220414-en
Max time kernel
202s
Max time network
100s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1044 set thread context of 1720 | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"
C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
Files
memory/1044-54-0x0000000000FF0000-0x0000000001088000-memory.dmp
memory/1044-55-0x0000000075C51000-0x0000000075C53000-memory.dmp
memory/1044-56-0x0000000000F10000-0x0000000000FA2000-memory.dmp
\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/1720-58-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-59-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-61-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-62-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-63-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-64-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-65-0x000000000044C85E-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/1720-68-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-70-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-72-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-73-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-74-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-75-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-79-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-82-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-83-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1720-84-0x0000000000400000-0x0000000000454000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-11 02:40
Reported
2022-05-11 04:04
Platform
win10v2004-20220414-en
Max time kernel
206s
Max time network
208s
Command Line
Signatures
HiveRAT
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4468 set thread context of 4436 | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"
C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"
Network
| Country | Destination | Domain | Proto |
| IE | 13.69.239.74:443 | tcp | |
| IE | 20.54.110.249:443 | tcp | |
| FR | 2.18.109.224:443 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| US | 13.107.4.50:80 | tcp | |
| DE | 51.75.64.249:10128 | tcp | |
| US | 8.8.8.8:53 | storesdk.dsx.mp.microsoft.com | udp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| FR | 2.18.109.224:443 | storesdk.dsx.mp.microsoft.com | tcp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
Files
memory/4468-130-0x0000000000670000-0x0000000000708000-memory.dmp
memory/4468-131-0x0000000005560000-0x0000000005B04000-memory.dmp
memory/4468-132-0x00000000050B0000-0x0000000005142000-memory.dmp
memory/4468-133-0x0000000005260000-0x000000000526A000-memory.dmp
memory/4468-134-0x0000000005CB0000-0x0000000005D4C000-memory.dmp
memory/4436-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/4436-136-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-139-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/4436-142-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-143-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-144-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-145-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-149-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-152-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-153-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-154-0x0000000000400000-0x0000000000454000-memory.dmp
memory/4436-160-0x00000000054E0000-0x0000000005546000-memory.dmp