Overview

overview

10

Static

static

GAMESPOR.exe

windows7_x64

10

GAMESPOR.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    131s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GAMESPOR.exe

  • Size

    719KB

  • MD5

    5d6b01b87783fd49b95ee6570c69ad19

  • SHA1

    de96bc61f52d5d7f790d84ab6ad54ae178211c2d

  • SHA256

    a25220d36761cb66dd0802e6bc007a963f4d6caea2f1cba85b078171766d6311

  • SHA512

    afb9a8b288f5e4775949968d531358bf507e0a94a74aa29262cee2b6cee25af13453131b1236e96d55a2387d44aefb8bf1686344d4ae336bea55aa906a62c720

Score
10/10
hiveratratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 15 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GAMESPOR.exe
    "C:\Users\Admin\AppData\Local\Temp\GAMESPOR.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1672
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nEtYUAOy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDA1A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1344
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:1324

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDA1A.tmp
    Filesize

    1KB

    MD5

    3ced86fc6657d2a407c465471ca31e5f

    SHA1

    6f2c6e78dbe51637975eca73edf7c18a83ee2d05

    SHA256

    e7ed80a9a9b8c921ddbae858aee405f0ff7552c844c626906a71811362bcb5f4

    SHA512

    a561d93bb7f9b30a2917eb27ea7d91b249d7e90a91a30103680135ec510a026eff98023945b2b9f38397e6c4b8d3338c0a9047513365a8c7868a31d8ae09a939

    Download Submit

  • memory/1324-67-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-85-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-66-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-86-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-84-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-81-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-61-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-62-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-64-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-68-0x000000000044C08E-mapping.dmp

    Download

  • memory/1324-74-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-77-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-65-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-70-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-72-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-75-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1324-76-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/1344-59-0x0000000000000000-mapping.dmp

    Download

  • memory/1672-56-0x0000000000510000-0x0000000000522000-memory.dmp

    Filesize

    72KB

    Download

  • memory/1672-57-0x0000000000DD0000-0x0000000000E2C000-memory.dmp

    Filesize

    368KB

    Download

  • memory/1672-55-0x0000000075B61000-0x0000000075B63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1672-58-0x0000000000F30000-0x0000000000F82000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1672-54-0x00000000012E0000-0x000000000139C000-memory.dmp

    Filesize

    752KB

    Download