Analysis
-
max time kernel
149s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 18:47
General
-
Target
deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe
-
Size
7.6MB
-
MD5
efc5d47f6d5aa4dbd22cd109aa13ac30
-
SHA1
6427617947cca1dc78c5091dcb2c051ab8d5b949
-
SHA256
deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62
-
SHA512
0bf945e9f5f84ed82df9d6c160fb495b0f0e121f86e03ee3cd7acad1e0059d914fffde6ea8e3322015aa184792bbd0f9e9f85697ef9a1d06e172b693f839af29
Malware Config
Signatures
-
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
HiveRAT Payload 10 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
XMRig Miner Payload 3 IoCs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"1⤵
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iuvFUtslgAL" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC2E.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"{path}"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe"C:\Users\Admin\AppData\Local\Temp\deb4b809f9360df97d5991701bb4ce8d6f0a2b929e1459ea509299b3bfa65d62.exe" -a cryptonight --url=http://xmrpool.eu:5555/ --userpass=44AZAavMaLRjQzY6RS8mXwUBKGoPa62Yb8gVx89rZ1bHN1uqKvqW9Q13k86Pf4ve1a37XUa23btkeJckxSfKfnJqBd6fAiM:X --max-cpu-usage=653⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Execution5.vbsFilesize
563B
MD57dff540cd392d0b313d4ed0d55fafdef
SHA12da23e76c1afeb89396f85bfa0c7be638497c4f7
SHA256eb5134b02d9aea8fabad254943009a3c837410b1693d6dee7af1dcb22fbccb45
SHA512c613ec4e7d99640681be3a7ccbec63b6070dc974307889ba86911967576b34b5bb61e6ab188b85344f0a2dd24c0468ae141ade1a3af6efedec196f846b0a71ad
-
C:\Users\Admin\AppData\Local\Temp\tmpAC2E.tmpFilesize
1KB
MD560b614fb96e53a20a89b91c276985b45
SHA1fbe7825eb2481e7dbac2943cf2a2f8b919d00ad5
SHA256060a9e81131f38a4af8d8da06ea630efb6fcabe30b46df4818dd909b86f5bae2
SHA51282d4fea144e25f692d386f8074ffae014fe35afb5e3675ae6ad3531e38fedf095e12dce4765789feed347628b4e33020860426ddb62b6b361d50fdd0a8f3bdbe
-
memory/2032-131-0x0000000000000000-mapping.dmp
-
memory/3536-162-0x0000000000400000-0x0000000000888000-memory.dmpFilesize
4.5MB
-
memory/3536-161-0x0000000000400000-0x0000000000888000-memory.dmpFilesize
4.5MB
-
memory/3536-159-0x0000000000400000-0x0000000000888000-memory.dmpFilesize
4.5MB
-
memory/3536-158-0x0000000000000000-mapping.dmp
-
memory/3568-163-0x0000000000000000-mapping.dmp
-
memory/4136-130-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4164-133-0x0000000000000000-mapping.dmp
-
memory/4208-142-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-146-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-147-0x0000000075520000-0x0000000075AD1000-memory.dmpFilesize
5.7MB
-
memory/4208-150-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-151-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-152-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-141-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-140-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-139-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-137-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-135-0x0000000000400000-0x0000000000A28000-memory.dmpFilesize
6.2MB
-
memory/4208-134-0x0000000000000000-mapping.dmp