Analysis
-
max time kernel
98s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
24-05-2022 23:35
General
-
Target
ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe
-
Size
783KB
-
MD5
af453e6dc8439e4856260859e7d68fc1
-
SHA1
031520acf4961f5938f0ceeb2f02e2656667cffb
-
SHA256
ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171
-
SHA512
434afe14ea03edb8988ca23785275a63f8398936811f0b86215c1f4b3f165fc0da352e01aa16206e6f28bf93dee4c0ec21882b08b35adedb55052d7fb54136e3
Malware Config
Signatures
-
HiveRAT
HiveRAT is an improved version of FirebirdRAT with various capabilities.
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
HiveRAT Payload 2 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Windows security modification 2 TTPs 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe"C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe"1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-MpPreference -verbose2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe"C:\Users\Admin\AppData\Local\Temp\ca6b1afe76cbc6f14e10608b426d7c6c028ab78de5cca30ae7b5880710865171.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 7643⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2964 -ip 29641⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Modify Registry
4Virtualization/Sandbox Evasion
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
800KB
-
Filesize
624KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
616KB
-
Filesize
616KB
-
Filesize
200KB
-
Filesize
6.5MB
-
Filesize
120KB
-
Filesize
408KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
6.2MB
-
Filesize
216KB