Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

Booking Co...DF.exe

windows7_x64

10

Booking Co...DF.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    07/07/2022, 07:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking Confirmation 1104202403251 - copy - PDF.exe

  • Size

    344KB

  • MD5

    f4f48519f108900933d0dd0e8aa1f40f

  • SHA1

    5a48020b486ab74eea85cf88d647dc2ba0994ace

  • SHA256

    f6d2fe1a8ba40429708ec5c70159fcff0e9741ea260ea93e3665d6ea752f96d3

  • SHA512

    d02dc186871c344bddac7ae1a5c1e9c72014e106dfdbe1c565bf7a56ae052b10f7abb69f34010f5315752766bc40a86d1f9e20da2c8c70f7c0aef053ab3248a1

Score
10/10
hiveratratstealer

Malware Config

Signatures

  • HiveRAT

    HiveRAT is an improved version of FirebirdRAT with various capabilities.

    ratstealerhiverat
  • HiveRAT Payload 10 IoCs
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 57 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 1104202403251 - copy - PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Booking Confirmation 1104202403251 - copy - PDF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4980
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c timeout 5 & powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\129579.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe'
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1012
      • C:\Windows\SysWOW64\timeout.exe
        timeout 5
        3⤵
        • Delays execution with timeout.exe
        PID:1660
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -command Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Local\Temp\\129579.js'; Start-Sleep -s 5; Start-Process -WindowStyle hidden -FilePath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe'
        3⤵
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2348
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\129579.js"
          4⤵
          • Suspicious behavior: RenamesItself
          PID:2924
        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe"
          4⤵
          • Drops startup file
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3344
          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Booking Confirmation 1104202403251 - copy - PDF.exe"
            5⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:4488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\129579.js
    Filesize

    312B

    MD5

    9319c8e299915f15f09346cd84c43b13

    SHA1

    7fc0374c1887ebc81d31b70d81fcdcb0251cd640

    SHA256

    1a90dcfd32487e44228f5960d10b5026f5ab5dd469faef9ae4a3a921007a75ea

    SHA512

    3847beafe59ed9707ba7458daf882ebbebb6b5d45ef359636f81fe56cd80cb9a20290997831d336b3abe1f16d5677decb57b9d6bb3c0c83b1f828b08e6b8a29b

    Download Submit

  • memory/2348-138-0x0000000002FD0000-0x0000000003006000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2348-148-0x0000000008800000-0x0000000008E7A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2348-139-0x0000000005840000-0x0000000005E68000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2348-140-0x00000000055F0000-0x0000000005612000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2348-141-0x0000000005EE0000-0x0000000005F46000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2348-142-0x00000000065B0000-0x00000000065CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2348-143-0x0000000007580000-0x0000000007616000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2348-144-0x0000000006A90000-0x0000000006AAA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2348-145-0x0000000006AE0000-0x0000000006B02000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3344-156-0x00000000059C0000-0x00000000059CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4488-153-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-159-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-168-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-167-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-151-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-166-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-163-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-157-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-158-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4488-155-0x0000000000400000-0x0000000000454000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4980-134-0x0000000005120000-0x0000000005186000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4980-133-0x0000000005080000-0x000000000511C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4980-132-0x0000000004D40000-0x0000000004DD2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4980-130-0x0000000000350000-0x00000000003AC000-memory.dmp

    Filesize

    368KB

    Download

  • memory/4980-131-0x0000000005210000-0x00000000057B4000-memory.dmp

    Filesize

    5.6MB

    Download