Overview

overview

10

Static

static

10

9ab39cb346...ed.exe

windows7_x64

10

9ab39cb346...ed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 04:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe

  • Size

    300KB

  • MD5

    1f8ef85018585c48b2abe7876f0d6e7e

  • SHA1

    ddcc9c01e06187bed5c6c8b0ab7ca127428cf02c

  • SHA256

    9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced

  • SHA512

    d3a118b0fe2266b943f84aa6809565abbf12a1b2c326760f97233ed9ca9af1bf7a494c7a5d4c1495237c75d859123a1bb1b4b419dc3f9e6a43525849e5ad43ef

Score
10/10
hiveratpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe
    "C:\Users\Admin\AppData\Local\Temp\9ab39cb3460b7680fcceb6481c12674dd3950466224f3163b74c38acad37fced.exe"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1956
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
      2⤵
        PID:1176
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
        2⤵
        • Adds Run key to start application
        PID:332

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Execution.vbs
      Filesize

      559B

      MD5

      52b7140d35a38f6ae6e910a3c041cae2

      SHA1

      a398398aa69e4ba435ed318dc40f8a5397ccae03

      SHA256

      cc649cd28307555d7454e37e7ba4fa3d48041fd2650469a10f7f6cb415ed44cb

      SHA512

      9a25cd0c01557a7e7eb498b74c5cf327a52a9efa86ba98afe09cb37b410722c1b9dab1f999074c46bc70e066ed0442c38181cf48893bdd1ead1a007edd09a89a

      Download Submit

    • memory/1176-58-0x0000000070131000-0x0000000070133000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1832-59-0x000007FEFC1F1000-0x000007FEFC1F3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1956-54-0x00000000002A0000-0x00000000002F2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1956-55-0x00000000761F1000-0x00000000761F3000-memory.dmp

      Filesize

      8KB

      Download