Analysis Overview
SHA256
0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c
Threat Level: Known bad
The file 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c was found to be: Known bad.
Malicious Activity Summary
WarzoneRat, AveMaria
HiveRAT
HiveRAT Payload
Warzone RAT Payload
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-05-16 13:00
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-05-16 13:00
Reported
2022-05-16 14:36
Platform
win7-20220414-en
Max time kernel
170s
Max time network
59s
Command Line
Signatures
HiveRAT
WarzoneRat, AveMaria
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Warzone RAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1672 set thread context of 784 | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe |
| PID 1168 set thread context of 1052 | N/A | C:\Users\Admin\AppData\Roaming\1.exe | C:\Users\Admin\AppData\Roaming\1.exe |
| PID 2036 set thread context of 836 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Users\Admin\AppData\Roaming\2.exe |
| PID 1932 set thread context of 1372 | N/A | C:\Users\Admin\AppData\Roaming\3.exe | C:\Users\Admin\AppData\Roaming\3.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\3.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
"C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
"C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 528
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
Files
memory/1672-54-0x0000000000E90000-0x0000000001066000-memory.dmp
memory/1672-55-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
memory/1672-56-0x0000000005040000-0x0000000005210000-memory.dmp
\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
| MD5 | 4e7eb50a75f8bf74751576cdd5381809 |
| SHA1 | 7e0dfbdd505b9451513b828e4d392e164fe566e9 |
| SHA256 | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c |
| SHA512 | 05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3 |
memory/784-59-0x0000000000400000-0x0000000000590000-memory.dmp
memory/784-58-0x0000000000400000-0x0000000000590000-memory.dmp
memory/784-61-0x0000000000400000-0x0000000000590000-memory.dmp
memory/784-62-0x0000000000400000-0x0000000000590000-memory.dmp
memory/784-64-0x000000000058AF7E-mapping.dmp
memory/784-67-0x0000000000400000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
| MD5 | 4e7eb50a75f8bf74751576cdd5381809 |
| SHA1 | 7e0dfbdd505b9451513b828e4d392e164fe566e9 |
| SHA256 | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c |
| SHA512 | 05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3 |
memory/784-69-0x0000000000400000-0x0000000000590000-memory.dmp
memory/784-63-0x0000000000400000-0x0000000000590000-memory.dmp
memory/784-70-0x0000000000590000-0x0000000000598000-memory.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
memory/2036-77-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/1168-83-0x0000000000300000-0x0000000000362000-memory.dmp
memory/1932-86-0x0000000000000000-mapping.dmp
memory/2036-90-0x0000000000890000-0x0000000000922000-memory.dmp
memory/1932-92-0x00000000011D0000-0x0000000001262000-memory.dmp
memory/1932-89-0x0000000001270000-0x0000000001308000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
memory/2036-82-0x0000000000BA0000-0x0000000000C38000-memory.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/1168-78-0x0000000000AD0000-0x0000000000B38000-memory.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/1168-73-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
memory/1052-96-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1052-99-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1052-102-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1052-103-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1052-104-0x0000000000405CE2-mapping.dmp
memory/1052-101-0x0000000000400000-0x0000000000554000-memory.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
memory/1052-98-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1052-94-0x0000000000400000-0x0000000000554000-memory.dmp
memory/1052-93-0x0000000000400000-0x0000000000554000-memory.dmp
memory/836-108-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-109-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-111-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-113-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-117-0x000000000044C85E-mapping.dmp
memory/1372-116-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/836-121-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1372-124-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1372-125-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1372-133-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1372-131-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
memory/1372-128-0x000000000044CB3E-mapping.dmp
memory/1372-127-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1372-126-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-123-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-114-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-112-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-145-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-147-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-146-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-142-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-138-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-137-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-136-0x0000000000400000-0x0000000000454000-memory.dmp
memory/836-135-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1892-153-0x0000000000000000-mapping.dmp
memory/1052-156-0x0000000000400000-0x0000000000554000-memory.dmp
\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
Analysis: behavioral2
Detonation Overview
Submitted
2022-05-16 13:00
Reported
2022-05-16 14:36
Platform
win10v2004-20220414-en
Max time kernel
154s
Max time network
159s
Command Line
Signatures
HiveRAT
WarzoneRat, AveMaria
HiveRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Warzone RAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSwindows.exe | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DesktopExplorer.exe | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MSbuild.exe | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MicrosoftExplorer.exe | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 796 set thread context of 2936 | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe |
| PID 728 set thread context of 1676 | N/A | C:\Users\Admin\AppData\Roaming\1.exe | C:\Users\Admin\AppData\Roaming\1.exe |
| PID 1080 set thread context of 3396 | N/A | C:\Users\Admin\AppData\Roaming\2.exe | C:\Users\Admin\AppData\Roaming\2.exe |
| PID 1424 set thread context of 2492 | N/A | C:\Users\Admin\AppData\Roaming\3.exe | C:\Users\Admin\AppData\Roaming\3.exe |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Roaming\3.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\3.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\2.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
"C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
"C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
"C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Users\Admin\AppData\Roaming\1.exe
"C:\Users\Admin\AppData\Roaming\1.exe"
C:\Users\Admin\AppData\Roaming\2.exe
"C:\Users\Admin\AppData\Roaming\2.exe"
C:\Users\Admin\AppData\Roaming\3.exe
"C:\Users\Admin\AppData\Roaming\3.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2492 -ip 2492
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2492 -s 764
Network
| Country | Destination | Domain | Proto |
| US | 52.168.117.170:443 | tcp | |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | 15.89.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
| US | 8.8.8.8:53 | hive01.duckdns.org | udp |
Files
memory/796-130-0x0000000000760000-0x0000000000936000-memory.dmp
memory/796-131-0x0000000005730000-0x0000000005CD4000-memory.dmp
memory/796-132-0x0000000005220000-0x00000000052B2000-memory.dmp
memory/796-133-0x00000000052E0000-0x00000000052EA000-memory.dmp
memory/796-134-0x0000000005EB0000-0x0000000005F4C000-memory.dmp
memory/804-135-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
| MD5 | 4e7eb50a75f8bf74751576cdd5381809 |
| SHA1 | 7e0dfbdd505b9451513b828e4d392e164fe566e9 |
| SHA256 | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c |
| SHA512 | 05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3 |
memory/2936-137-0x0000000000000000-mapping.dmp
memory/2936-138-0x0000000000400000-0x0000000000590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe
| MD5 | 4e7eb50a75f8bf74751576cdd5381809 |
| SHA1 | 7e0dfbdd505b9451513b828e4d392e164fe566e9 |
| SHA256 | 0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c |
| SHA512 | 05b9ae0aef714798034ac0c271f5a1ef44221e9b56480f6de3e07d9e94e438bd0ba11ef44c6ff48267d0d9a94ec18355641c67d744d51326c8c7569048b660f3 |
memory/728-140-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
memory/1080-143-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/728-145-0x00000000006B0000-0x0000000000718000-memory.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
memory/1424-147-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
memory/1080-151-0x0000000000B40000-0x0000000000BD8000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0976a3ad891a358ff61b4e77d77ce4021cdcd53456a0ba21700b92ecd37ac37c.exe.log
| MD5 | 8ec831f3e3a3f77e4a7b9cd32b48384c |
| SHA1 | d83f09fd87c5bd86e045873c231c14836e76a05c |
| SHA256 | 7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982 |
| SHA512 | 26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3 |
memory/1424-152-0x0000000000180000-0x0000000000218000-memory.dmp
memory/1676-153-0x0000000000000000-mapping.dmp
memory/1676-154-0x0000000000400000-0x0000000000554000-memory.dmp
C:\Users\Admin\AppData\Roaming\1.exe
| MD5 | ea33ef88c0e9cf45dcd70dc971c46e02 |
| SHA1 | 68bad4331a4f108a7ced1dfe0e87a63fc5ded774 |
| SHA256 | 6b0c966be8f3ebf3faf33582428a16b669d7571125108c7bbd8308882c55d709 |
| SHA512 | 37c8c9404bedf6e032b1de937641b70586ad51a5a4e95fb08798a472bff5f3766123b98e4059d08f2608932d860325ab111e093276b1c71a9286b7e5d8211998 |
memory/3396-157-0x0000000000000000-mapping.dmp
memory/3396-158-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\2.exe
| MD5 | bf400de7c5e0fb5fe483cb09c0ccb745 |
| SHA1 | 46199385eb5aeccd6638d77a980c780344ac8ace |
| SHA256 | fafbac3283f1c1b642284c1cee4c4111a165df2afce327798e739e1bb09984fc |
| SHA512 | 255c6fd43bd6e8954fec5e37b9c4aef9b210728073173ac51bc5ffaa6cb3cddab32d854c027ed7c0ff3e3d311e5b8e3c5a3ed3e1e08e8ccd60449485ec9bc93d |
memory/2492-162-0x0000000000000000-mapping.dmp
memory/3396-161-0x0000000000400000-0x0000000000454000-memory.dmp
memory/2492-163-0x0000000000400000-0x0000000000454000-memory.dmp
C:\Users\Admin\AppData\Roaming\3.exe
| MD5 | d21695b6d9bdd7ed0e35a0c70ce38205 |
| SHA1 | 33522e95507f48e68a981b1097bcbe0354e31c1a |
| SHA256 | 15a91a73d34c70be3ae427e2f296d79848ac15326f4d32e1e08831db651aa64c |
| SHA512 | 0550e12024173c5a369ca28f20042756d2a5a83025e8fe22e89d5f5712232741ba5c090ea53406a20372b6666a98aa23eb896e3cfb61797401b7591b9c587a5f |
memory/2492-166-0x0000000000400000-0x0000000000454000-memory.dmp
memory/1676-167-0x0000000000400000-0x0000000000554000-memory.dmp
memory/3396-169-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-170-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-172-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-171-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-176-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-179-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-180-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-181-0x0000000000400000-0x0000000000454000-memory.dmp
memory/3396-187-0x0000000004F50000-0x0000000004FB6000-memory.dmp
memory/1676-188-0x0000000000400000-0x0000000000554000-memory.dmp