Malware Analysis Report

2024-10-24 16:30

Sample ID 220511-c5w4msgehm
Target fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc
SHA256 fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc
Tags
hiverat rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc

Threat Level: Known bad

The file fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc was found to be: Known bad.

Malicious Activity Summary

hiverat rat stealer

HiveRAT

HiveRAT Payload

Executes dropped EXE

Drops startup file

Loads dropped DLL

Suspicious use of SetThreadContext

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-05-11 02:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-11 02:40

Reported

2022-05-11 04:04

Platform

win7-20220414-en

Max time kernel

202s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 1044 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"

C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hive01.duckdns.org udp

Files

memory/1044-54-0x0000000000FF0000-0x0000000001088000-memory.dmp

memory/1044-55-0x0000000075C51000-0x0000000075C53000-memory.dmp

memory/1044-56-0x0000000000F10000-0x0000000000FA2000-memory.dmp

\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

MD5 bf400de7c5e0fb5fe483cb09c0ccb745
SHA1 46199385eb5aeccd6638d77a980c780344ac8ace
SHA256 fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc
SHA512 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

memory/1720-58-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-59-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-61-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-62-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-63-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-64-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-65-0x000000000044C85E-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

MD5 bf400de7c5e0fb5fe483cb09c0ccb745
SHA1 46199385eb5aeccd6638d77a980c780344ac8ace
SHA256 fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc
SHA512 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

memory/1720-68-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-70-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-72-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-73-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-74-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-75-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-79-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-82-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-83-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1720-84-0x0000000000400000-0x0000000000454000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-11 02:40

Reported

2022-05-11 04:04

Platform

win10v2004-20220414-en

Max time kernel

206s

Max time network

208s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"

Signatures

HiveRAT

rat stealer hiverat

HiveRAT Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe
PID 4468 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"

C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

"C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe"

Network

Country Destination Domain Proto
IE 13.69.239.74:443 tcp
IE 20.54.110.249:443 tcp
FR 2.18.109.224:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
DE 51.75.64.249:10128 tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
FR 2.18.109.224:443 storesdk.dsx.mp.microsoft.com tcp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp
US 8.8.8.8:53 hive01.duckdns.org udp

Files

memory/4468-130-0x0000000000670000-0x0000000000708000-memory.dmp

memory/4468-131-0x0000000005560000-0x0000000005B04000-memory.dmp

memory/4468-132-0x00000000050B0000-0x0000000005142000-memory.dmp

memory/4468-133-0x0000000005260000-0x000000000526A000-memory.dmp

memory/4468-134-0x0000000005CB0000-0x0000000005D4C000-memory.dmp

memory/4436-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe

MD5 bf400de7c5e0fb5fe483cb09c0ccb745
SHA1 46199385eb5aeccd6638d77a980c780344ac8ace
SHA256 fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc
SHA512 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d

memory/4436-136-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-139-0x0000000000400000-0x0000000000454000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc.exe.log

MD5 8ec831f3e3a3f77e4a7b9cd32b48384c
SHA1 d83f09fd87c5bd86e045873c231c14836e76a05c
SHA256 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA512 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

memory/4436-142-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-143-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-144-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-145-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-149-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-152-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-153-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-154-0x0000000000400000-0x0000000000454000-memory.dmp

memory/4436-160-0x00000000054E0000-0x0000000005546000-memory.dmp