Overview

overview

10

Static

static

Dettagli d...ne.exe

windows7_x64

10

Dettagli d...ne.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    14/07/2020, 06:57

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Dettagli di spedizione.exe

  • Size

    743KB

  • MD5

    4e6c88000d39ba9b2970a38c06ad8954

  • SHA1

    a445842a0c65c55517f0573f1b3acd0e5bfa6632

  • SHA256

    5b56965b3b01283c8ac5277021645a8c85c366e39c200d8bcb6869750dfc3100

  • SHA512

    1a6ddc38932fa2dd2f0d5bd64db2808331153f83b080b75f0c7b63311f10e5da009859034bc1ec5f2c737326bae6c66e3f510c4fa1d7e476a7e9c76acf39546f

Score
10/10
keyloggertrojanstealerspywarehawkeye

Malware Config

Signatures

  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 28 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1093 IoCs
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Uses the VBS compiler for execution 1 TTPs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dettagli di spedizione.exe
    "C:\Users\Admin\AppData\Local\Temp\Dettagli di spedizione.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • Suspicious behavior: MapViewOfSection
    PID:896
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious behavior: EnumeratesProcesses
      PID:272
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
        3⤵
          PID:1876
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
          3⤵
            PID:1196

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/272-0-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/272-2-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/272-3-0x0000000000400000-0x0000000000488000-memory.dmp

              Filesize

              544KB

              Download

            • memory/1196-9-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/1196-7-0x0000000000400000-0x0000000000458000-memory.dmp

              Filesize

              352KB

              Download

            • memory/1876-4-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download

            • memory/1876-6-0x0000000000400000-0x000000000041B000-memory.dmp

              Filesize

              108KB

              Download