Overview

overview

10

Static

static

10

bb46e6aad5...d7.exe

windows7_x64

10

bb46e6aad5...d7.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    24-05-2022 19:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe

  • Size

    444KB

  • MD5

    3345d81272159ef8f2e837c836da04e3

  • SHA1

    c073b1f55f53472efa4b3e0afc2399d0ec73eead

  • SHA256

    bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7

  • SHA512

    2de3e07219c4f4f7fd2f0787ca626a9a33f56e01e936f7a44275984c3021e73634d5cf30e250c7a632059bbfecdc8049316b959898a372ae3c598e5252fdcef4

Score
10/10
hiveratpersistenceratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe
    "C:\Users\Admin\AppData\Local\Temp\bb46e6aad59864e3e4826189809c7fdb8a449f69817723ff2039147e3ec020d7.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution5.vbs"
      2⤵
        PID:4360
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution2.vbs"
        2⤵
        • Adds Run key to start application
        PID:768
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Local\Execution.vbs
        2⤵
          PID:4852
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2520
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Execution.vbs"
          2⤵
          • Adds Run key to start application
          PID:8

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Execution.vbs
        Filesize

        569B

        MD5

        743df8248e54fd91856951188e3094f2

        SHA1

        eeb2d9900d684128a8f38cb5256ec30879a8058d

        SHA256

        7e6a03abee4ed68604a0b5f0c5c2efe86c3c8106068a5b4bdc0ab9457658538f

        SHA512

        8900228c38fde6567998aa954b38e00e531f5ccd33f1471060bc4426aa8258dff9aaf89105a1aa461a26a73c8d22950050be214fe5718fa84c25c631e5700196

        Download Submit

      • C:\Users\Admin\AppData\Local\Execution2.vbs
        Filesize

        813B

        MD5

        9089c318822d5236ea57a1ab1cd2423c

        SHA1

        fd2f802809486520005e24550bfd0a0d185b9aa6

        SHA256

        639a20cc23d9dd274487728eeda789b5ee0d49e07c94cc064cf1d76463a2cbb6

        SHA512

        e18a2d0660d3973c8e9e308853b1fceeea4e487f6e2d8c250d9c70251de411e1e4fbb6bd13c8d1d4c6a1264cc39f7ed8dda80c35f950c1f7b8a6b8ad05ab02b3

        Download Submit

      • C:\Users\Admin\AppData\Local\Execution5.vbs
        Filesize

        563B

        MD5

        1b57fa3c2ec8c0ce0e028d2d01d87b89

        SHA1

        774e510ef3d0e2dece8b89a4bb6b004cc0b03801

        SHA256

        d773b3ee5ea9a54e07a2e8fc0da33106f6db47adaf1845d95ef6ca663ef2048b

        SHA512

        bec393fb41c435f60da417356472468678aa1a46d0fe251fb1cf7a9687bc0fa0453847b20d7814fa3a434ef85b0a191a04032b0481469771794cd51becb4a14c

        Download Submit

      • memory/1168-133-0x0000000000740000-0x00000000007BA000-memory.dmp

        Filesize

        488KB

        Download

      • memory/1168-134-0x0000000005470000-0x000000000550C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/1168-135-0x00000000055A0000-0x0000000005632000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1168-136-0x0000000005F70000-0x0000000006514000-memory.dmp

        Filesize

        5.6MB

        Download