Overview

overview

10

Static

static

GAMESPOR.exe

windows7_x64

10

GAMESPOR.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 03:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GAMESPOR.exe

  • Size

    719KB

  • MD5

    5d6b01b87783fd49b95ee6570c69ad19

  • SHA1

    de96bc61f52d5d7f790d84ab6ad54ae178211c2d

  • SHA256

    a25220d36761cb66dd0802e6bc007a963f4d6caea2f1cba85b078171766d6311

  • SHA512

    afb9a8b288f5e4775949968d531358bf507e0a94a74aa29262cee2b6cee25af13453131b1236e96d55a2387d44aefb8bf1686344d4ae336bea55aa906a62c720

Score
10/10
hiveratratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GAMESPOR.exe
    "C:\Users\Admin\AppData\Local\Temp\GAMESPOR.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\nEtYUAOy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE445.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3540
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:4796

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE445.tmp
    Filesize

    1KB

    MD5

    b6be71d588bd575d3ec86c2f45729737

    SHA1

    20c7335c503eeeea219b672af760e57efa8cee77

    SHA256

    ef267da04f3c82838937120f127b4555aac1c118d73f851c24fbbf86b5a4d94f

    SHA512

    4f5a1722abf89ad1442490731eaaa63a35988f2c96054e819a86593a6352991065e3e97dd6708d08443ee1f9aeef2e66516040c222eb05003c18ad5af0134efe

    Download Submit

  • memory/2164-130-0x0000000000900000-0x00000000009BC000-memory.dmp

    Filesize

    752KB

    Download

  • memory/2164-131-0x00000000058B0000-0x0000000005E54000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2164-132-0x00000000053A0000-0x0000000005432000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2164-133-0x0000000005440000-0x00000000054DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2164-134-0x0000000005370000-0x000000000537A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3540-135-0x0000000000000000-mapping.dmp

    Download

  • memory/4796-138-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-137-0x0000000000000000-mapping.dmp

    Download

  • memory/4796-140-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-142-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-143-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-144-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-145-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-149-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-152-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-153-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-154-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4796-160-0x0000000005750000-0x00000000057B6000-memory.dmp

    Filesize

    408KB

    Download