Overview

overview

10

Static

static

deb4b809f9...62.exe

windows7_x64

10

deb4b809f9...62.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    172s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    16-05-2022 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe

  • Size

    7.6MB

  • MD5

    efc5d47f6d5aa4dbd22cd109aa13ac30

  • SHA1

    6427617947cca1dc78c5091dcb2c051ab8d5b949

  • SHA256

    deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62

  • SHA512

    0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29

Score
10/10
hiveratxmrigevasionminerratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • HiveRAT Payload 15 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • XMRig Miner Payload 8 IoCs
    miner
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
    "C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iuvFUtslgAL" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AE2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2036
    • C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
        "C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe" -a cryptonight --url=http://xmrpool.eu:5555/ --userpass=44AZAavMaLRjQzY6RS8mXwUBKGoPa62Yb8gVx89rZ1bHN1uqKvqW9Q13k86Pf4ve1a37XUa23btkeJckxSfKfnJqBd6fAiM:X --max-cpu-usage=65
        3⤵
          PID:2020
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
          3⤵
            PID:696

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Execution5.vbs
        Filesize

        563B

        MD5

        7dff540cd392d0b313d4ed0d55fafdef

        SHA1

        2da23e76c1afeb89396f85bfa0c7be638497c4f7

        SHA256

        eb5134b02d9aea8fabad254943009a3c837410b1693d6dee7af1dcb22fbccb45

        SHA512

        c613ec4e7d99640681be3a7ccbec63b6070dc974307889ba86911967576b34b5bb61e6ab188b85344f0a2dd24c0468ae141ade1a3af6efedec196f846b0a71ad

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmp8AE2.tmp
        Filesize

        1KB

        MD5

        4c4775e92dc03a506d67460dab264bab

        SHA1

        cd090e238b8d62b756ac5d3a677b9cd814e6da0b

        SHA256

        a96a1ff7a4b1d4a8381f39e3950b26a35bc3ba1af0ecbf2714c5de0dc0f7450c

        SHA512

        39e213498c21a3ae9efb17c7ce613d0e2091d2f2f3921ff9988515781e832acdcde84ec156db0675ee90177fc4f00aecf41a54e8e20f65d65d6aeea5921fcfff

        Download Submit
      • memory/664-83-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-59-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-58-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-84-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-61-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-82-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-63-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-64-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-65-0x0000000000A212DE-mapping.dmp
        Download
      • memory/664-67-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-69-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-72-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-73-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-74-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-75-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-79-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/664-90-0x0000000074EE0000-0x000000007548B000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/664-62-0x0000000000400000-0x0000000000A28000-memory.dmp
        Filesize

        6.2MB

        Download
      • memory/696-112-0x0000000000000000-mapping.dmp
        Download
      • memory/1640-55-0x0000000074F50000-0x00000000754FB000-memory.dmp
        Filesize

        5.7MB

        Download
      • memory/1640-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2020-94-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-104-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-96-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-98-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-92-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-103-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-91-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-100-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-107-0x0000000000401500-mapping.dmp
        Download
      • memory/2020-106-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-110-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-111-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2020-102-0x0000000000400000-0x0000000000888000-memory.dmp
        Filesize

        4.5MB

        Download
      • memory/2036-56-0x0000000000000000-mapping.dmp
        Download